]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: drop reference to long gone .busname unit type
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09 2
034c6ed7
LP		 3#include <errno.h>
4#include <fcntl.h>
8dd4c05b 5#include <poll.h>
d251207d 6#include <sys/eventfd.h>
f5947a5e 7#include <sys/ioctl.h>
f3e43635 8#include <sys/mman.h>
8dd4c05b 9#include <sys/personality.h>
94f04347 10#include <sys/prctl.h>
d2ffa389 11#include <sys/shm.h>
d2ffa389 12#include <sys/types.h>
8dd4c05b
LP		 13#include <sys/un.h>
14#include <unistd.h>
023a4f67 15#include <utmpx.h>
5cb5a6ff 16
349cc4a5 17#if HAVE_PAM
5b6319dc
LP		 18#include <security/pam_appl.h>
19#endif
20
349cc4a5 21#if HAVE_SELINUX
7b52a628
MS		 22#include <selinux/selinux.h>
23#endif
24
349cc4a5 25#if HAVE_SECCOMP
17df7223
LP		 26#include <seccomp.h>
27#endif
28
349cc4a5 29#if HAVE_APPARMOR
eef65bf3
MS		 30#include <sys/apparmor.h>
31#endif
32
24882e06 33#include "sd-messages.h"
8dd4c05b
LP		 34
35#include "af-list.h"
b5efdb8a 36#include "alloc-util.h"
349cc4a5 37#if HAVE_APPARMOR
3ffd4af2
LP		 38#include "apparmor-util.h"
39#endif
8dd4c05b
LP		 40#include "async.h"
41#include "barrier.h"
8dd4c05b 42#include "cap-list.h"
430f0182 43#include "capability-util.h"
a1164ae3 44#include "chown-recursive.h"
fdb3deca 45#include "cgroup-setup.h"
da681e1b 46#include "cpu-set-util.h"
f6a6225e 47#include "def.h"
686d13b9 48#include "env-file.h"
4d1a6904 49#include "env-util.h"
17df7223 50#include "errno-list.h"
3ffd4af2 51#include "execute.h"
8dd4c05b 52#include "exit-status.h"
3ffd4af2 53#include "fd-util.h"
f97b34a6 54#include "format-util.h"
f4f15635 55#include "fs-util.h"
7d50b32a 56#include "glob-util.h"
0389f4fa 57#include "hexdecoct.h"
c004493c 58#include "io-util.h"
8dd4c05b 59#include "ioprio.h"
a1164ae3 60#include "label.h"
8dd4c05b
LP		 61#include "log.h"
62#include "macro.h"
e8a565cb 63#include "manager.h"
0a970718 64#include "memory-util.h"
f5947a5e 65#include "missing_fs.h"
8dd4c05b
LP		 66#include "mkdir.h"
67#include "namespace.h"
6bedfcbb 68#include "parse-util.h"
8dd4c05b 69#include "path-util.h"
0b452006 70#include "process-util.h"
78f22b97 71#include "rlimit-util.h"
8dd4c05b 72#include "rm-rf.h"
349cc4a5 73#if HAVE_SECCOMP
3ffd4af2
LP		 74#include "seccomp-util.h"
75#endif
07d46372 76#include "securebits-util.h"
8dd4c05b 77#include "selinux-util.h"
24882e06 78#include "signal-util.h"
8dd4c05b 79#include "smack-util.h"
57b7a260 80#include "socket-util.h"
fd63e712 81#include "special.h"
949befd3 82#include "stat-util.h"
8b43440b 83#include "string-table.h"
07630cea 84#include "string-util.h"
8dd4c05b 85#include "strv.h"
7ccbd1ae 86#include "syslog-util.h"
8dd4c05b 87#include "terminal-util.h"
566b7d23 88#include "umask-util.h"
8dd4c05b 89#include "unit.h"
b1d4f8e1 90#include "user-util.h"
8dd4c05b 91#include "utmp-wtmp.h"
5cb5a6ff 92
e056b01d 93#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 94#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 95
531dca78
LP		 96#define SNDBUF_SIZE (8*1024*1024)
97
da6053d0 98static int shift_fds(int fds[], size_t n_fds) {
034c6ed7
LP		 99 int start, restart_from;
100
101 if (n_fds <= 0)
102 return 0;
103
a0d40ac5
LP		 104 /* Modifies the fds array! (sorts it) */
105
034c6ed7
LP		 106 assert(fds);
107
108 start = 0;
109 for (;;) {
110 int i;
111
112 restart_from = -1;
113
114 for (i = start; i < (int) n_fds; i++) {
115 int nfd;
116
117 /* Already at right index? */
118 if (fds[i] == i+3)
119 continue;
120
3cc2aff1
LP		 121 nfd = fcntl(fds[i], F_DUPFD, i + 3);
122 if (nfd < 0)
034c6ed7
LP		 123 return -errno;
124
03e334a1 125 safe_close(fds[i]);
034c6ed7
LP		 126 fds[i] = nfd;
127
128 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 129 * let's remember that and try again from here */
034c6ed7
LP		 130 if (nfd != i+3 && restart_from < 0)
131 restart_from = i;
132 }
133
134 if (restart_from < 0)
135 break;
136
137 start = restart_from;
138 }
139
140 return 0;
141}
142
25b583d7 143static int flags_fds(const int fds[], size_t n_socket_fds, size_t n_storage_fds, bool nonblock) {
da6053d0 144 size_t i, n_fds;
e2c76839 145 int r;
47a71eed 146
25b583d7 147 n_fds = n_socket_fds + n_storage_fds;
47a71eed
LP		 148 if (n_fds <= 0)
149 return 0;
150
151 assert(fds);
152
9b141911
FB		 153 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
154 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 155
156 for (i = 0; i < n_fds; i++) {
47a71eed 157
9b141911
FB		 158 if (i < n_socket_fds) {
159 r = fd_nonblock(fds[i], nonblock);
160 if (r < 0)
161 return r;
162 }
47a71eed 163
451a074f
LP		 164 /* We unconditionally drop FD_CLOEXEC from the fds,
165 * since after all we want to pass these fds to our
166 * children */
47a71eed 167
3cc2aff1
LP		 168 r = fd_cloexec(fds[i], false);
169 if (r < 0)
e2c76839 170 return r;
47a71eed
LP		 171 }
172
173 return 0;
174}
175
1e22b5cd 176static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 177 assert(context);
178
1e22b5cd
LP		 179 if (context->stdio_as_fds)
180 return NULL;
181
80876c20
LP		 182 if (context->tty_path)
183 return context->tty_path;
184
185 return "/dev/console";
186}
187
1e22b5cd
LP		 188static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
189 const char *path;
190
6ea832a2
LP		 191 assert(context);
192
1e22b5cd 193 path = exec_context_tty_path(context);
6ea832a2 194
1e22b5cd
LP		 195 if (context->tty_vhangup) {
196 if (p && p->stdin_fd >= 0)
197 (void) terminal_vhangup_fd(p->stdin_fd);
198 else if (path)
199 (void) terminal_vhangup(path);
200 }
6ea832a2 201
1e22b5cd
LP		 202 if (context->tty_reset) {
203 if (p && p->stdin_fd >= 0)
204 (void) reset_terminal_fd(p->stdin_fd, true);
205 else if (path)
206 (void) reset_terminal(path);
207 }
208
209 if (context->tty_vt_disallocate && path)
210 (void) vt_disallocate(path);
6ea832a2
LP		 211}
212
6af760f3
LP		 213static bool is_terminal_input(ExecInput i) {
214 return IN_SET(i,
215 EXEC_INPUT_TTY,
216 EXEC_INPUT_TTY_FORCE,
217 EXEC_INPUT_TTY_FAIL);
218}
219
3a1286b6 220static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 221 return IN_SET(o,
222 EXEC_OUTPUT_TTY,
6af760f3
LP		 223 EXEC_OUTPUT_KMSG_AND_CONSOLE,
224 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
225}
226
aac8c0c3
LP		 227static bool is_kmsg_output(ExecOutput o) {
228 return IN_SET(o,
229 EXEC_OUTPUT_KMSG,
230 EXEC_OUTPUT_KMSG_AND_CONSOLE);
231}
232
6af760f3
LP		 233static bool exec_context_needs_term(const ExecContext *c) {
234 assert(c);
235
236 /* Return true if the execution context suggests we should set $TERM to something useful. */
237
238 if (is_terminal_input(c->std_input))
239 return true;
240
241 if (is_terminal_output(c->std_output))
242 return true;
243
244 if (is_terminal_output(c->std_error))
245 return true;
246
247 return !!c->tty_path;
3a1286b6
MS		 248}
249
80876c20 250static int open_null_as(int flags, int nfd) {
046a82c1 251 int fd;
071830ff 252
80876c20 253 assert(nfd >= 0);
071830ff 254
613b411c
LP		 255 fd = open("/dev/null", flags|O_NOCTTY);
256 if (fd < 0)
071830ff
LP		 257 return -errno;
258
046a82c1 259 return move_fd(fd, nfd, false);
071830ff
LP		 260}
261
91dd5f7c
LP		 262static int connect_journal_socket(
263 int fd,
264 const char *log_namespace,
265 uid_t uid,
266 gid_t gid) {
267
f36a9d59
ZJS		 268 union sockaddr_union sa;
269 socklen_t sa_len;
524daa8c
ZJS		 270 uid_t olduid = UID_INVALID;
271 gid_t oldgid = GID_INVALID;
91dd5f7c 272 const char *j;
524daa8c
ZJS		 273 int r;
274
91dd5f7c
LP		 275 j = log_namespace ?
276 strjoina("/run/systemd/journal.", log_namespace, "/stdout") :
277 "/run/systemd/journal/stdout";
278 r = sockaddr_un_set_path(&sa.un, j);
279 if (r < 0)
280 return r;
f36a9d59 281 sa_len = r;
91dd5f7c 282
cad93f29 283 if (gid_is_valid(gid)) {
524daa8c
ZJS		 284 oldgid = getgid();
285
92a17af9 286 if (setegid(gid) < 0)
524daa8c
ZJS		 287 return -errno;
288 }
289
cad93f29 290 if (uid_is_valid(uid)) {
524daa8c
ZJS		 291 olduid = getuid();
292
92a17af9 293 if (seteuid(uid) < 0) {
524daa8c
ZJS		 294 r = -errno;
295 goto restore_gid;
296 }
297 }
298
f36a9d59 299 r = connect(fd, &sa.sa, sa_len) < 0 ? -errno : 0;
524daa8c
ZJS		 300
301 /* If we fail to restore the uid or gid, things will likely
302 fail later on. This should only happen if an LSM interferes. */
303
cad93f29 304 if (uid_is_valid(uid))
524daa8c
ZJS		 305 (void) seteuid(olduid);
306
307 restore_gid:
cad93f29 308 if (gid_is_valid(gid))
524daa8c
ZJS		 309 (void) setegid(oldgid);
310
311 return r;
312}
313
fd1f9c89 314static int connect_logger_as(
34cf6c43 315 const Unit *unit,
fd1f9c89 316 const ExecContext *context,
af635cf3 317 const ExecParameters *params,
fd1f9c89
LP		 318 ExecOutput output,
319 const char *ident,
fd1f9c89
LP		 320 int nfd,
321 uid_t uid,
322 gid_t gid) {
323
2ac1ff68
EV		 324 _cleanup_close_ int fd = -1;
325 int r;
071830ff
LP		 326
327 assert(context);
af635cf3 328 assert(params);
80876c20
LP		 329 assert(output < _EXEC_OUTPUT_MAX);
330 assert(ident);
331 assert(nfd >= 0);
071830ff 332
54fe0cdb
LP		 333 fd = socket(AF_UNIX, SOCK_STREAM, 0);
334 if (fd < 0)
80876c20 335 return -errno;
071830ff 336
91dd5f7c 337 r = connect_journal_socket(fd, context->log_namespace, uid, gid);
524daa8c
ZJS		 338 if (r < 0)
339 return r;
071830ff 340
2ac1ff68 341 if (shutdown(fd, SHUT_RD) < 0)
80876c20 342 return -errno;
071830ff 343
fd1f9c89 344 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 345
2ac1ff68 346 if (dprintf(fd,
62bca2c6 347 "%s\n"
80876c20
LP		 348 "%s\n"
349 "%i\n"
54fe0cdb
LP		 350 "%i\n"
351 "%i\n"
352 "%i\n"
4f4a1dbf 353 "%i\n",
c867611e 354 context->syslog_identifier ?: ident,
af635cf3 355 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 356 context->syslog_priority,
357 !!context->syslog_level_prefix,
f3dc6af2 358 false,
aac8c0c3 359 is_kmsg_output(output),
2ac1ff68
EV		 360 is_terminal_output(output)) < 0)
361 return -errno;
80876c20 362
2ac1ff68 363 return move_fd(TAKE_FD(fd), nfd, false);
80876c20 364}
2ac1ff68 365
3a274a21 366static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 367 int fd;
071830ff 368
80876c20
LP		 369 assert(path);
370 assert(nfd >= 0);
fd1f9c89 371
3a274a21 372 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 373 if (fd < 0)
80876c20 374 return fd;
071830ff 375
046a82c1 376 return move_fd(fd, nfd, false);
80876c20 377}
071830ff 378
2038c3f5 379static int acquire_path(const char *path, int flags, mode_t mode) {
86fca584
ZJS		 380 union sockaddr_union sa;
381 socklen_t sa_len;
15a3e96f 382 _cleanup_close_ int fd = -1;
86fca584 383 int r;
071830ff 384
80876c20 385 assert(path);
071830ff 386
2038c3f5
LP		 387 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
388 flags |= O_CREAT;
389
390 fd = open(path, flags|O_NOCTTY, mode);
391 if (fd >= 0)
15a3e96f 392 return TAKE_FD(fd);
071830ff 393
2038c3f5
LP		 394 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
395 return -errno;
2038c3f5
LP		 396
397 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
398
86fca584
ZJS		 399 r = sockaddr_un_set_path(&sa.un, path);
400 if (r < 0)
401 return r == -EINVAL ? -ENXIO : r;
402 sa_len = r;
403
2038c3f5
LP		 404 fd = socket(AF_UNIX, SOCK_STREAM, 0);
405 if (fd < 0)
406 return -errno;
407
86fca584 408 if (connect(fd, &sa.sa, sa_len) < 0)
2038c3f5
LP		 409 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
410 * indication that his wasn't an AF_UNIX socket after all */
071830ff 411
2038c3f5
LP		 412 if ((flags & O_ACCMODE) == O_RDONLY)
413 r = shutdown(fd, SHUT_WR);
414 else if ((flags & O_ACCMODE) == O_WRONLY)
415 r = shutdown(fd, SHUT_RD);
416 else
86fca584 417 r = 0;
15a3e96f 418 if (r < 0)
2038c3f5 419 return -errno;
2038c3f5 420
15a3e96f 421 return TAKE_FD(fd);
80876c20 422}
071830ff 423
08f3be7a
LP		 424static int fixup_input(
425 const ExecContext *context,
426 int socket_fd,
427 bool apply_tty_stdin) {
428
429 ExecInput std_input;
430
431 assert(context);
432
433 std_input = context->std_input;
1e3ad081
LP		 434
435 if (is_terminal_input(std_input) && !apply_tty_stdin)
436 return EXEC_INPUT_NULL;
071830ff 437
03fd9c49 438 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 439 return EXEC_INPUT_NULL;
440
08f3be7a
LP		 441 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
442 return EXEC_INPUT_NULL;
443
03fd9c49 444 return std_input;
4f2d528d
LP		 445}
446
03fd9c49 447static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 448
03fd9c49 449 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 450 return EXEC_OUTPUT_INHERIT;
451
03fd9c49 452 return std_output;
4f2d528d
LP		 453}
454
a34ceba6
LP		 455static int setup_input(
456 const ExecContext *context,
457 const ExecParameters *params,
52c239d7 458 int socket_fd,
2caa38e9 459 const int named_iofds[static 3]) {
a34ceba6 460
4f2d528d
LP		 461 ExecInput i;
462
463 assert(context);
a34ceba6 464 assert(params);
2caa38e9 465 assert(named_iofds);
a34ceba6
LP		 466
467 if (params->stdin_fd >= 0) {
468 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
469 return -errno;
470
471 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 472 if (isatty(STDIN_FILENO)) {
473 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
474 (void) reset_terminal_fd(STDIN_FILENO, true);
475 }
a34ceba6
LP		 476
477 return STDIN_FILENO;
478 }
4f2d528d 479
08f3be7a 480 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 481
482 switch (i) {
071830ff 483
80876c20
LP		 484 case EXEC_INPUT_NULL:
485 return open_null_as(O_RDONLY, STDIN_FILENO);
486
487 case EXEC_INPUT_TTY:
488 case EXEC_INPUT_TTY_FORCE:
489 case EXEC_INPUT_TTY_FAIL: {
046a82c1 490 int fd;
071830ff 491
1e22b5cd 492 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 493 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
494 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
495 ACQUIRE_TERMINAL_WAIT,
3a43da28 496 USEC_INFINITY);
970edce6 497 if (fd < 0)
80876c20
LP		 498 return fd;
499
046a82c1 500 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 501 }
502
4f2d528d 503 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 504 assert(socket_fd >= 0);
505
4f2d528d
LP		 506 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
507
52c239d7 508 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 509 assert(named_iofds[STDIN_FILENO] >= 0);
510
52c239d7
LB		 511 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
512 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
513
08f3be7a
LP		 514 case EXEC_INPUT_DATA: {
515 int fd;
516
517 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
518 if (fd < 0)
519 return fd;
520
521 return move_fd(fd, STDIN_FILENO, false);
522 }
523
2038c3f5
LP		 524 case EXEC_INPUT_FILE: {
525 bool rw;
526 int fd;
527
528 assert(context->stdio_file[STDIN_FILENO]);
529
530 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
531 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
532
533 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
534 if (fd < 0)
535 return fd;
536
537 return move_fd(fd, STDIN_FILENO, false);
538 }
539
80876c20
LP		 540 default:
541 assert_not_reached("Unknown input type");
542 }
543}
544
41fc585a
LP		 545static bool can_inherit_stderr_from_stdout(
546 const ExecContext *context,
547 ExecOutput o,
548 ExecOutput e) {
549
550 assert(context);
551
552 /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
553 * stderr fd */
554
555 if (e == EXEC_OUTPUT_INHERIT)
556 return true;
557 if (e != o)
558 return false;
559
560 if (e == EXEC_OUTPUT_NAMED_FD)
561 return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
562
563 if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND))
564 return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
565
566 return true;
567}
568
a34ceba6 569static int setup_output(
34cf6c43 570 const Unit *unit,
a34ceba6
LP		 571 const ExecContext *context,
572 const ExecParameters *params,
573 int fileno,
574 int socket_fd,
2caa38e9 575 const int named_iofds[static 3],
a34ceba6 576 const char *ident,
7bce046b
LP		 577 uid_t uid,
578 gid_t gid,
579 dev_t *journal_stream_dev,
580 ino_t *journal_stream_ino) {
a34ceba6 581
4f2d528d
LP		 582 ExecOutput o;
583 ExecInput i;
47c1d80d 584 int r;
4f2d528d 585
f2341e0a 586 assert(unit);
80876c20 587 assert(context);
a34ceba6 588 assert(params);
80876c20 589 assert(ident);
7bce046b
LP		 590 assert(journal_stream_dev);
591 assert(journal_stream_ino);
80876c20 592
a34ceba6
LP		 593 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
594
595 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
596 return -errno;
597
598 return STDOUT_FILENO;
599 }
600
601 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
602 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
603 return -errno;
604
605 return STDERR_FILENO;
606 }
607
08f3be7a 608 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 609 o = fixup_output(context->std_output, socket_fd);
4f2d528d 610
eb17e935
MS		 611 if (fileno == STDERR_FILENO) {
612 ExecOutput e;
613 e = fixup_output(context->std_error, socket_fd);
80876c20 614
eb17e935
MS		 615 /* This expects the input and output are already set up */
616
617 /* Don't change the stderr file descriptor if we inherit all
618 * the way and are not on a tty */
619 if (e == EXEC_OUTPUT_INHERIT &&
620 o == EXEC_OUTPUT_INHERIT &&
621 i == EXEC_INPUT_NULL &&
622 !is_terminal_input(context->std_input) &&
623 getppid () != 1)
624 return fileno;
625
626 /* Duplicate from stdout if possible */
41fc585a 627 if (can_inherit_stderr_from_stdout(context, o, e))
eb17e935 628 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 629
eb17e935 630 o = e;
80876c20 631
eb17e935 632 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 633 /* If input got downgraded, inherit the original value */
634 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 635 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 636
08f3be7a
LP		 637 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
638 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 639 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 640
acb591e4
LP		 641 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
642 if (getppid() != 1)
eb17e935 643 return fileno;
94f04347 644
eb17e935
MS		 645 /* We need to open /dev/null here anew, to get the right access mode. */
646 return open_null_as(O_WRONLY, fileno);
071830ff 647 }
94f04347 648
eb17e935 649 switch (o) {
80876c20
LP		 650
651 case EXEC_OUTPUT_NULL:
eb17e935 652 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 653
654 case EXEC_OUTPUT_TTY:
4f2d528d 655 if (is_terminal_input(i))
eb17e935 656 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 657
658 /* We don't reset the terminal if this is just about output */
1e22b5cd 659 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20 660
9a6bca7a 661 case EXEC_OUTPUT_KMSG:
28dbc1e8 662 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 663 case EXEC_OUTPUT_JOURNAL:
664 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 665 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 666 if (r < 0) {
82677ae4 667 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 668 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 669 } else {
670 struct stat st;
671
672 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
673 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 674 * services to detect whether they are connected to the journal or not.
675 *
676 * If both stdout and stderr are connected to a stream then let's make sure to store the data
677 * about STDERR as that's usually the best way to do logging. */
7bce046b 678
ab2116b1
LP		 679 if (fstat(fileno, &st) >= 0 &&
680 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 681 *journal_stream_dev = st.st_dev;
682 *journal_stream_ino = st.st_ino;
683 }
47c1d80d
MS		 684 }
685 return r;
4f2d528d
LP		 686
687 case EXEC_OUTPUT_SOCKET:
688 assert(socket_fd >= 0);
e75a9ed1 689
eb17e935 690 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 691
52c239d7 692 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 693 assert(named_iofds[fileno] >= 0);
694
52c239d7
LB		 695 (void) fd_nonblock(named_iofds[fileno], false);
696 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
697
566b7d23
ZD		 698 case EXEC_OUTPUT_FILE:
699 case EXEC_OUTPUT_FILE_APPEND: {
2038c3f5 700 bool rw;
566b7d23 701 int fd, flags;
2038c3f5
LP		 702
703 assert(context->stdio_file[fileno]);
704
705 rw = context->std_input == EXEC_INPUT_FILE &&
706 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
707
708 if (rw)
709 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
710
566b7d23
ZD		 711 flags = O_WRONLY;
712 if (o == EXEC_OUTPUT_FILE_APPEND)
713 flags |= O_APPEND;
714
715 fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
2038c3f5
LP		 716 if (fd < 0)
717 return fd;
718
566b7d23 719 return move_fd(fd, fileno, 0);
2038c3f5
LP		 720 }
721
94f04347 722 default:
80876c20 723 assert_not_reached("Unknown error type");
94f04347 724 }
071830ff
LP		 725}
726
02a51aba 727static int chown_terminal(int fd, uid_t uid) {
4b3b5bc7 728 int r;
02a51aba
LP		 729
730 assert(fd >= 0);
02a51aba 731
1ff74fb6 732 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
4b3b5bc7
LP		 733 if (isatty(fd) < 1) {
734 if (IN_SET(errno, EINVAL, ENOTTY))
735 return 0; /* not a tty */
1ff74fb6 736
02a51aba 737 return -errno;
4b3b5bc7 738 }
02a51aba 739
4b3b5bc7
LP		 740 /* This might fail. What matters are the results. */
741 r = fchmod_and_chown(fd, TTY_MODE, uid, -1);
742 if (r < 0)
743 return r;
02a51aba 744
4b3b5bc7 745 return 1;
02a51aba
LP		 746}
747
7d5ceb64 748static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 749 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
750 int r;
80876c20 751
80876c20
LP		 752 assert(_saved_stdin);
753 assert(_saved_stdout);
754
af6da548
LP		 755 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
756 if (saved_stdin < 0)
757 return -errno;
80876c20 758
af6da548 759 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 760 if (saved_stdout < 0)
761 return -errno;
80876c20 762
8854d795 763 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 764 if (fd < 0)
765 return fd;
80876c20 766
af6da548
LP		 767 r = chown_terminal(fd, getuid());
768 if (r < 0)
3d18b167 769 return r;
02a51aba 770
3d18b167
LP		 771 r = reset_terminal_fd(fd, true);
772 if (r < 0)
773 return r;
80876c20 774
2b33ab09 775 r = rearrange_stdio(fd, fd, STDERR_FILENO);
3d18b167 776 fd = -1;
2b33ab09
LP		 777 if (r < 0)
778 return r;
80876c20
LP		 779
780 *_saved_stdin = saved_stdin;
781 *_saved_stdout = saved_stdout;
782
3d18b167 783 saved_stdin = saved_stdout = -1;
80876c20 784
3d18b167 785 return 0;
80876c20
LP		 786}
787
63d77c92 788static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 789 assert(err < 0);
790
791 if (err == -ETIMEDOUT)
63d77c92 792 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 793 else {
794 errno = -err;
63d77c92 795 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 796 }
797}
798
63d77c92 799static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 800 _cleanup_close_ int fd = -1;
80876c20 801
3b20f877 802 assert(vc);
80876c20 803
7d5ceb64 804 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 805 if (fd < 0)
3b20f877 806 return;
80876c20 807
63d77c92 808 write_confirm_error_fd(err, fd, u);
af6da548 809}
80876c20 810
3d18b167 811static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 812 int r = 0;
80876c20 813
af6da548
LP		 814 assert(saved_stdin);
815 assert(saved_stdout);
816
817 release_terminal();
818
819 if (*saved_stdin >= 0)
80876c20 820 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 821 r = -errno;
80876c20 822
af6da548 823 if (*saved_stdout >= 0)
80876c20 824 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 825 r = -errno;
80876c20 826
3d18b167
LP		 827 *saved_stdin = safe_close(*saved_stdin);
828 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 829
830 return r;
831}
832
3b20f877
FB		 833enum {
834 CONFIRM_PRETEND_FAILURE = -1,
835 CONFIRM_PRETEND_SUCCESS = 0,
836 CONFIRM_EXECUTE = 1,
837};
838
eedf223a 839static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 840 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 841 _cleanup_free_ char *e = NULL;
3b20f877 842 char c;
af6da548 843
3b20f877 844 /* For any internal errors, assume a positive response. */
7d5ceb64 845 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 846 if (r < 0) {
63d77c92 847 write_confirm_error(r, vc, u);
3b20f877
FB		 848 return CONFIRM_EXECUTE;
849 }
af6da548 850
b0eb2944
FB		 851 /* confirm_spawn might have been disabled while we were sleeping. */
852 if (manager_is_confirm_spawn_disabled(u->manager)) {
853 r = 1;
854 goto restore_stdio;
855 }
af6da548 856
2bcd3c26
FB		 857 e = ellipsize(cmdline, 60, 100);
858 if (!e) {
859 log_oom();
860 r = CONFIRM_EXECUTE;
861 goto restore_stdio;
862 }
af6da548 863
d172b175 864 for (;;) {
539622bd 865 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 866 if (r < 0) {
63d77c92 867 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 868 r = CONFIRM_EXECUTE;
869 goto restore_stdio;
870 }
af6da548 871
d172b175 872 switch (c) {
b0eb2944
FB		 873 case 'c':
874 printf("Resuming normal execution.\n");
875 manager_disable_confirm_spawn();
876 r = 1;
877 break;
dd6f9ac0
FB		 878 case 'D':
879 unit_dump(u, stdout, " ");
880 continue; /* ask again */
d172b175
FB		 881 case 'f':
882 printf("Failing execution.\n");
883 r = CONFIRM_PRETEND_FAILURE;
884 break;
885 case 'h':
b0eb2944
FB		 886 printf(" c - continue, proceed without asking anymore\n"
887 " D - dump, show the state of the unit\n"
dd6f9ac0 888 " f - fail, don't execute the command and pretend it failed\n"
d172b175 889 " h - help\n"
eedf223a 890 " i - info, show a short summary of the unit\n"
56fde33a 891 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 892 " s - skip, don't execute the command and pretend it succeeded\n"
893 " y - yes, execute the command\n");
dd6f9ac0 894 continue; /* ask again */
eedf223a
FB		 895 case 'i':
896 printf(" Description: %s\n"
897 " Unit: %s\n"
898 " Command: %s\n",
899 u->id, u->description, cmdline);
900 continue; /* ask again */
56fde33a
FB		 901 case 'j':
902 manager_dump_jobs(u->manager, stdout, " ");
903 continue; /* ask again */
539622bd
FB		 904 case 'n':
905 /* 'n' was removed in favor of 'f'. */
906 printf("Didn't understand 'n', did you mean 'f'?\n");
907 continue; /* ask again */
d172b175
FB		 908 case 's':
909 printf("Skipping execution.\n");
910 r = CONFIRM_PRETEND_SUCCESS;
911 break;
912 case 'y':
913 r = CONFIRM_EXECUTE;
914 break;
915 default:
916 assert_not_reached("Unhandled choice");
917 }
3b20f877 918 break;
3b20f877 919 }
af6da548 920
3b20f877 921restore_stdio:
af6da548 922 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 923 return r;
80876c20
LP		 924}
925
4d885bd3
DH		 926static int get_fixed_user(const ExecContext *c, const char **user,
927 uid_t *uid, gid_t *gid,
928 const char **home, const char **shell) {
81a2b7ce 929 int r;
4d885bd3 930 const char *name;
81a2b7ce 931
4d885bd3 932 assert(c);
81a2b7ce 933
23deef88
LP		 934 if (!c->user)
935 return 0;
936
4d885bd3
DH		 937 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
938 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 939
23deef88 940 name = c->user;
fafff8f1 941 r = get_user_creds(&name, uid, gid, home, shell, USER_CREDS_CLEAN);
4d885bd3
DH		 942 if (r < 0)
943 return r;
81a2b7ce 944
4d885bd3
DH		 945 *user = name;
946 return 0;
947}
948
949static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
950 int r;
951 const char *name;
952
953 assert(c);
954
955 if (!c->group)
956 return 0;
957
958 name = c->group;
fafff8f1 959 r = get_group_creds(&name, gid, 0);
4d885bd3
DH		 960 if (r < 0)
961 return r;
962
963 *group = name;
964 return 0;
965}
966
cdc5d5c5
DH		 967static int get_supplementary_groups(const ExecContext *c, const char *user,
968 const char *group, gid_t gid,
969 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 970 char **i;
971 int r, k = 0;
972 int ngroups_max;
973 bool keep_groups = false;
974 gid_t *groups = NULL;
975 _cleanup_free_ gid_t *l_gids = NULL;
976
977 assert(c);
978
bbeea271
DH		 979 /*
980 * If user is given, then lookup GID and supplementary groups list.
981 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 982 * here and as early as possible so we keep the list of supplementary
983 * groups of the caller.
bbeea271
DH		 984 */
985 if (user && gid_is_valid(gid) && gid != 0) {
986 /* First step, initialize groups from /etc/groups */
987 if (initgroups(user, gid) < 0)
988 return -errno;
989
990 keep_groups = true;
991 }
992
ac6e8be6 993 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 994 return 0;
995
366ddd25
DH		 996 /*
997 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
998 * be positive, otherwise fail.
999 */
1000 errno = 0;
1001 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
66855de7
LP		 1002 if (ngroups_max <= 0)
1003 return errno_or_else(EOPNOTSUPP);
366ddd25 1004
4d885bd3
DH		 1005 l_gids = new(gid_t, ngroups_max);
1006 if (!l_gids)
1007 return -ENOMEM;
81a2b7ce 1008
4d885bd3
DH		 1009 if (keep_groups) {
1010 /*
1011 * Lookup the list of groups that the user belongs to, we
1012 * avoid NSS lookups here too for gid=0.
1013 */
1014 k = ngroups_max;
1015 if (getgrouplist(user, gid, l_gids, &k) < 0)
1016 return -EINVAL;
1017 } else
1018 k = 0;
81a2b7ce 1019
4d885bd3
DH		 1020 STRV_FOREACH(i, c->supplementary_groups) {
1021 const char *g;
81a2b7ce 1022
4d885bd3
DH		 1023 if (k >= ngroups_max)
1024 return -E2BIG;
81a2b7ce 1025
4d885bd3 1026 g = *i;
fafff8f1 1027 r = get_group_creds(&g, l_gids+k, 0);
4d885bd3
DH		 1028 if (r < 0)
1029 return r;
81a2b7ce 1030
4d885bd3
DH		 1031 k++;
1032 }
81a2b7ce 1033
4d885bd3
DH		 1034 /*
1035 * Sets ngids to zero to drop all supplementary groups, happens
1036 * when we are under root and SupplementaryGroups= is empty.
1037 */
1038 if (k == 0) {
1039 *ngids = 0;
1040 return 0;
1041 }
81a2b7ce 1042
4d885bd3
DH		 1043 /* Otherwise get the final list of supplementary groups */
1044 groups = memdup(l_gids, sizeof(gid_t) * k);
1045 if (!groups)
1046 return -ENOMEM;
1047
1048 *supplementary_gids = groups;
1049 *ngids = k;
1050
1051 groups = NULL;
1052
1053 return 0;
1054}
1055
34cf6c43 1056static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1057 int r;
1058
709dbeac
YW		 1059 /* Handle SupplementaryGroups= if it is not empty */
1060 if (ngids > 0) {
4d885bd3
DH		 1061 r = maybe_setgroups(ngids, supplementary_gids);
1062 if (r < 0)
97f0e76f 1063 return r;
4d885bd3 1064 }
81a2b7ce 1065
4d885bd3
DH		 1066 if (gid_is_valid(gid)) {
1067 /* Then set our gids */
1068 if (setresgid(gid, gid, gid) < 0)
1069 return -errno;
81a2b7ce
LP		 1070 }
1071
1072 return 0;
1073}
1074
1075static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 1076 assert(context);
1077
4d885bd3
DH		 1078 if (!uid_is_valid(uid))
1079 return 0;
1080
479050b3 1081 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 1082 * capabilities while doing so. */
1083
479050b3 1084 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 1085
1086 /* First step: If we need to keep capabilities but
1087 * drop privileges we need to make sure we keep our
cbb21cca 1088 * caps, while we drop privileges. */
693ced48 1089 if (uid != 0) {
cbb21cca 1090 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 1091
1092 if (prctl(PR_GET_SECUREBITS) != sb)
1093 if (prctl(PR_SET_SECUREBITS, sb) < 0)
1094 return -errno;
1095 }
81a2b7ce
LP		 1096 }
1097
479050b3 1098 /* Second step: actually set the uids */
81a2b7ce
LP		 1099 if (setresuid(uid, uid, uid) < 0)
1100 return -errno;
1101
1102 /* At this point we should have all necessary capabilities but
1103 are otherwise a normal user. However, the caps might got
1104 corrupted due to the setresuid() so we need clean them up
1105 later. This is done outside of this call. */
1106
1107 return 0;
1108}
1109
349cc4a5 1110#if HAVE_PAM
5b6319dc
LP		 1111
1112static int null_conv(
1113 int num_msg,
1114 const struct pam_message **msg,
1115 struct pam_response **resp,
1116 void *appdata_ptr) {
1117
1118 /* We don't support conversations */
1119
1120 return PAM_CONV_ERR;
1121}
1122
cefc33ae
LP		 1123#endif
1124
5b6319dc
LP		 1125static int setup_pam(
1126 const char *name,
1127 const char *user,
940c5210 1128 uid_t uid,
2d6fce8d 1129 gid_t gid,
5b6319dc 1130 const char *tty,
2065ca69 1131 char ***env,
5b8d1f6b 1132 const int fds[], size_t n_fds) {
5b6319dc 1133
349cc4a5 1134#if HAVE_PAM
cefc33ae 1135
5b6319dc
LP		 1136 static const struct pam_conv conv = {
1137 .conv = null_conv,
1138 .appdata_ptr = NULL
1139 };
1140
2d7c6aa2 1141 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1142 pam_handle_t *handle = NULL;
d6e5f3ad 1143 sigset_t old_ss;
7bb70b6e 1144 int pam_code = PAM_SUCCESS, r;
84eada2f 1145 char **nv, **e = NULL;
5b6319dc
LP		 1146 bool close_session = false;
1147 pid_t pam_pid = 0, parent_pid;
970edce6 1148 int flags = 0;
5b6319dc
LP		 1149
1150 assert(name);
1151 assert(user);
2065ca69 1152 assert(env);
5b6319dc
LP		 1153
1154 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1155 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1156 * systemd via the cgroup logic. It will then remove the PAM
1157 * session again. The parent process will exec() the actual
1158 * daemon. We do things this way to ensure that the main PID
1159 * of the daemon is the one we initially fork()ed. */
1160
7bb70b6e
LP		 1161 r = barrier_create(&barrier);
1162 if (r < 0)
2d7c6aa2
DH		 1163 goto fail;
1164
553d2243 1165 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1166 flags |= PAM_SILENT;
1167
f546241b
ZJS		 1168 pam_code = pam_start(name, user, &conv, &handle);
1169 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1170 handle = NULL;
1171 goto fail;
1172 }
1173
3cd24c1a
LP		 1174 if (!tty) {
1175 _cleanup_free_ char *q = NULL;
1176
1177 /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
1178 * out if that's the case, and read the TTY off it. */
1179
1180 if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
1181 tty = strjoina("/dev/", q);
1182 }
1183
f546241b
ZJS		 1184 if (tty) {
1185 pam_code = pam_set_item(handle, PAM_TTY, tty);
1186 if (pam_code != PAM_SUCCESS)
5b6319dc 1187 goto fail;
f546241b 1188 }
5b6319dc 1189
84eada2f
JW		 1190 STRV_FOREACH(nv, *env) {
1191 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1192 if (pam_code != PAM_SUCCESS)
1193 goto fail;
1194 }
1195
970edce6 1196 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1197 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1198 goto fail;
1199
3bb39ea9
DG		 1200 pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
1201 if (pam_code != PAM_SUCCESS)
46d7c6af 1202 log_debug("pam_setcred() failed, ignoring: %s", pam_strerror(handle, pam_code));
3bb39ea9 1203
970edce6 1204 pam_code = pam_open_session(handle, flags);
f546241b 1205 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1206 goto fail;
1207
1208 close_session = true;
1209
f546241b
ZJS		 1210 e = pam_getenvlist(handle);
1211 if (!e) {
5b6319dc
LP		 1212 pam_code = PAM_BUF_ERR;
1213 goto fail;
1214 }
1215
1216 /* Block SIGTERM, so that we know that it won't get lost in
1217 * the child */
ce30c8dc 1218
72c0a2c2 1219 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1220
df0ff127 1221 parent_pid = getpid_cached();
5b6319dc 1222
4c253ed1
LP		 1223 r = safe_fork("(sd-pam)", 0, &pam_pid);
1224 if (r < 0)
5b6319dc 1225 goto fail;
4c253ed1 1226 if (r == 0) {
7bb70b6e 1227 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1228
1229 /* The child's job is to reset the PAM session on
1230 * termination */
2d7c6aa2 1231 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1232
4c253ed1
LP		 1233 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds
1234 * are open here that have been opened by PAM. */
1235 (void) close_many(fds, n_fds);
5b6319dc 1236
940c5210
AK		 1237 /* Drop privileges - we don't need any to pam_close_session
1238 * and this will make PR_SET_PDEATHSIG work in most cases.
1239 * If this fails, ignore the error - but expect sd-pam threads
1240 * to fail to exit normally */
2d6fce8d 1241
97f0e76f
LP		 1242 r = maybe_setgroups(0, NULL);
1243 if (r < 0)
1244 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1245 if (setresgid(gid, gid, gid) < 0)
1246 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1247 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1248 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1249
ce30c8dc
LP		 1250 (void) ignore_signals(SIGPIPE, -1);
1251
940c5210
AK		 1252 /* Wait until our parent died. This will only work if
1253 * the above setresuid() succeeds, otherwise the kernel
1254 * will not allow unprivileged parents kill their privileged
1255 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1256 * to do the rest for us. */
1257 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1258 goto child_finish;
1259
2d7c6aa2
DH		 1260 /* Tell the parent that our setup is done. This is especially
1261 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1262 * setup might race against our setresuid(2) call.
1263 *
1264 * If the parent aborted, we'll detect this below, hence ignore
1265 * return failure here. */
1266 (void) barrier_place(&barrier);
2d7c6aa2 1267
643f4706 1268 /* Check if our parent process might already have died? */
5b6319dc 1269 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1270 sigset_t ss;
1271
1272 assert_se(sigemptyset(&ss) >= 0);
1273 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1274
3dead8d9
LP		 1275 for (;;) {
1276 if (sigwait(&ss, &sig) < 0) {
1277 if (errno == EINTR)
1278 continue;
1279
1280 goto child_finish;
1281 }
5b6319dc 1282
3dead8d9
LP		 1283 assert(sig == SIGTERM);
1284 break;
1285 }
5b6319dc
LP		 1286 }
1287
3bb39ea9
DG		 1288 pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
1289 if (pam_code != PAM_SUCCESS)
1290 goto child_finish;
1291
3dead8d9 1292 /* If our parent died we'll end the session */
f546241b 1293 if (getppid() != parent_pid) {
970edce6 1294 pam_code = pam_close_session(handle, flags);
f546241b 1295 if (pam_code != PAM_SUCCESS)
5b6319dc 1296 goto child_finish;
f546241b 1297 }
5b6319dc 1298
7bb70b6e 1299 ret = 0;
5b6319dc
LP		 1300
1301 child_finish:
970edce6 1302 pam_end(handle, pam_code | flags);
7bb70b6e 1303 _exit(ret);
5b6319dc
LP		 1304 }
1305
2d7c6aa2
DH		 1306 barrier_set_role(&barrier, BARRIER_PARENT);
1307
5b6319dc
LP		 1308 /* If the child was forked off successfully it will do all the
1309 * cleanups, so forget about the handle here. */
1310 handle = NULL;
1311
3b8bddde 1312 /* Unblock SIGTERM again in the parent */
72c0a2c2 1313 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1314
1315 /* We close the log explicitly here, since the PAM modules
1316 * might have opened it, but we don't want this fd around. */
1317 closelog();
1318
2d7c6aa2
DH		 1319 /* Synchronously wait for the child to initialize. We don't care for
1320 * errors as we cannot recover. However, warn loudly if it happens. */
1321 if (!barrier_place_and_sync(&barrier))
1322 log_error("PAM initialization failed");
1323
130d3d22 1324 return strv_free_and_replace(*env, e);
5b6319dc
LP		 1325
1326fail:
970edce6
ZJS		 1327 if (pam_code != PAM_SUCCESS) {
1328 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1329 r = -EPERM; /* PAM errors do not map to errno */
1330 } else
1331 log_error_errno(r, "PAM failed: %m");
9ba35398 1332
5b6319dc
LP		 1333 if (handle) {
1334 if (close_session)
970edce6 1335 pam_code = pam_close_session(handle, flags);
5b6319dc 1336
970edce6 1337 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1338 }
1339
1340 strv_free(e);
5b6319dc
LP		 1341 closelog();
1342
7bb70b6e 1343 return r;
cefc33ae
LP		 1344#else
1345 return 0;
5b6319dc 1346#endif
cefc33ae 1347}
5b6319dc 1348
5d6b1584
LP		 1349static void rename_process_from_path(const char *path) {
1350 char process_name[11];
1351 const char *p;
1352 size_t l;
1353
1354 /* This resulting string must fit in 10 chars (i.e. the length
1355 * of "/sbin/init") to look pretty in /bin/ps */
1356
2b6bf07d 1357 p = basename(path);
5d6b1584
LP		 1358 if (isempty(p)) {
1359 rename_process("(...)");
1360 return;
1361 }
1362
1363 l = strlen(p);
1364 if (l > 8) {
1365 /* The end of the process name is usually more
1366 * interesting, since the first bit might just be
1367 * "systemd-" */
1368 p = p + l - 8;
1369 l = 8;
1370 }
1371
1372 process_name[0] = '(';
1373 memcpy(process_name+1, p, l);
1374 process_name[1+l] = ')';
1375 process_name[1+l+1] = 0;
1376
1377 rename_process(process_name);
1378}
1379
469830d1
LP		 1380static bool context_has_address_families(const ExecContext *c) {
1381 assert(c);
1382
6b000af4 1383 return c->address_families_allow_list ||
469830d1
LP		 1384 !set_isempty(c->address_families);
1385}
1386
1387static bool context_has_syscall_filters(const ExecContext *c) {
1388 assert(c);
1389
6b000af4 1390 return c->syscall_allow_list ||
8cfa775f 1391 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1392}
1393
1394static bool context_has_no_new_privileges(const ExecContext *c) {
1395 assert(c);
1396
1397 if (c->no_new_privileges)
1398 return true;
1399
1400 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1401 return false;
1402
1403 /* We need NNP if we have any form of seccomp and are unprivileged */
1404 return context_has_address_families(c) ||
1405 c->memory_deny_write_execute ||
1406 c->restrict_realtime ||
f69567cb 1407 c->restrict_suid_sgid ||
469830d1 1408 exec_context_restrict_namespaces_set(c) ||
fc64760d 1409 c->protect_clock ||
469830d1
LP		 1410 c->protect_kernel_tunables ||
1411 c->protect_kernel_modules ||
84703040 1412 c->protect_kernel_logs ||
469830d1
LP		 1413 c->private_devices ||
1414 context_has_syscall_filters(c) ||
78e864e5 1415 !set_isempty(c->syscall_archs) ||
aecd5ac6
TM		 1416 c->lock_personality ||
1417 c->protect_hostname;
469830d1
LP		 1418}
1419
349cc4a5 1420#if HAVE_SECCOMP
17df7223 1421
83f12b27 1422static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1423
1424 if (is_seccomp_available())
1425 return false;
1426
f673b62d 1427 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1428 return true;
83f12b27
FS		 1429}
1430
165a31c0 1431static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1432 uint32_t negative_action, default_action, action;
165a31c0 1433 int r;
8351ceae 1434
469830d1 1435 assert(u);
c0467cf3 1436 assert(c);
8351ceae 1437
469830d1 1438 if (!context_has_syscall_filters(c))
83f12b27
FS		 1439 return 0;
1440
469830d1
LP		 1441 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1442 return 0;
e9642be2 1443
ccc16c78 1444 negative_action = c->syscall_errno == 0 ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1445
6b000af4 1446 if (c->syscall_allow_list) {
469830d1
LP		 1447 default_action = negative_action;
1448 action = SCMP_ACT_ALLOW;
7c66bae2 1449 } else {
469830d1
LP		 1450 default_action = SCMP_ACT_ALLOW;
1451 action = negative_action;
57183d11 1452 }
8351ceae 1453
165a31c0 1454 if (needs_ambient_hack) {
6b000af4 1455 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_allow_list, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
165a31c0
LP		 1456 if (r < 0)
1457 return r;
1458 }
1459
b54f36c6 1460 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
4298d0b5
LP		 1461}
1462
469830d1
LP		 1463static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1464 assert(u);
4298d0b5
LP		 1465 assert(c);
1466
469830d1 1467 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1468 return 0;
1469
469830d1
LP		 1470 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1471 return 0;
4298d0b5 1472
469830d1
LP		 1473 return seccomp_restrict_archs(c->syscall_archs);
1474}
4298d0b5 1475
469830d1
LP		 1476static int apply_address_families(const Unit* u, const ExecContext *c) {
1477 assert(u);
1478 assert(c);
4298d0b5 1479
469830d1
LP		 1480 if (!context_has_address_families(c))
1481 return 0;
4298d0b5 1482
469830d1
LP		 1483 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1484 return 0;
4298d0b5 1485
6b000af4 1486 return seccomp_restrict_address_families(c->address_families, c->address_families_allow_list);
8351ceae 1487}
4298d0b5 1488
83f12b27 1489static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1490 assert(u);
f3e43635
TM		 1491 assert(c);
1492
469830d1 1493 if (!c->memory_deny_write_execute)
83f12b27
FS		 1494 return 0;
1495
469830d1
LP		 1496 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1497 return 0;
f3e43635 1498
469830d1 1499 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1500}
1501
83f12b27 1502static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1503 assert(u);
f4170c67
LP		 1504 assert(c);
1505
469830d1 1506 if (!c->restrict_realtime)
83f12b27
FS		 1507 return 0;
1508
469830d1
LP		 1509 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1510 return 0;
f4170c67 1511
469830d1 1512 return seccomp_restrict_realtime();
f4170c67
LP		 1513}
1514
f69567cb
LP		 1515static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
1516 assert(u);
1517 assert(c);
1518
1519 if (!c->restrict_suid_sgid)
1520 return 0;
1521
1522 if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
1523 return 0;
1524
1525 return seccomp_restrict_suid_sgid();
1526}
1527
59e856c7 1528static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1529 assert(u);
59eeb84b
LP		 1530 assert(c);
1531
1532 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1533 * let's protect even those systems where this is left on in the kernel. */
1534
469830d1 1535 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1536 return 0;
1537
469830d1
LP		 1538 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1539 return 0;
59eeb84b 1540
469830d1 1541 return seccomp_protect_sysctl();
59eeb84b
LP		 1542}
1543
59e856c7 1544static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1545 assert(u);
502d704e
DH		 1546 assert(c);
1547
25a8d8a0 1548 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1549
469830d1
LP		 1550 if (!c->protect_kernel_modules)
1551 return 0;
1552
502d704e
DH		 1553 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1554 return 0;
1555
b54f36c6 1556 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
502d704e
DH		 1557}
1558
84703040
KK		 1559static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
1560 assert(u);
1561 assert(c);
1562
1563 if (!c->protect_kernel_logs)
1564 return 0;
1565
1566 if (skip_seccomp_unavailable(u, "ProtectKernelLogs="))
1567 return 0;
1568
1569 return seccomp_protect_syslog();
1570}
1571
daf8f72b 1572static int apply_protect_clock(const Unit *u, const ExecContext *c) {
fc64760d
KK		 1573 assert(u);
1574 assert(c);
1575
1576 if (!c->protect_clock)
1577 return 0;
1578
1579 if (skip_seccomp_unavailable(u, "ProtectClock="))
1580 return 0;
1581
1582 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false);
1583}
1584
59e856c7 1585static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1586 assert(u);
ba128bb8
LP		 1587 assert(c);
1588
8f81a5f6 1589 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1590
469830d1
LP		 1591 if (!c->private_devices)
1592 return 0;
1593
ba128bb8
LP		 1594 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1595 return 0;
1596
b54f36c6 1597 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
ba128bb8
LP		 1598}
1599
34cf6c43 1600static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1601 assert(u);
add00535
LP		 1602 assert(c);
1603
1604 if (!exec_context_restrict_namespaces_set(c))
1605 return 0;
1606
1607 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1608 return 0;
1609
1610 return seccomp_restrict_namespaces(c->restrict_namespaces);
1611}
1612
78e864e5 1613static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1614 unsigned long personality;
1615 int r;
78e864e5
TM		 1616
1617 assert(u);
1618 assert(c);
1619
1620 if (!c->lock_personality)
1621 return 0;
1622
1623 if (skip_seccomp_unavailable(u, "LockPersonality="))
1624 return 0;
1625
e8132d63
LP		 1626 personality = c->personality;
1627
1628 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1629 if (personality == PERSONALITY_INVALID) {
1630
1631 r = opinionated_personality(&personality);
1632 if (r < 0)
1633 return r;
1634 }
78e864e5
TM		 1635
1636 return seccomp_lock_personality(personality);
1637}
1638
c0467cf3 1639#endif
8351ceae 1640
daf8f72b 1641static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
daf8f72b
LP		 1642 assert(u);
1643 assert(c);
1644
1645 if (!c->protect_hostname)
1646 return 0;
1647
1648 if (ns_type_supported(NAMESPACE_UTS)) {
1649 if (unshare(CLONE_NEWUTS) < 0) {
1650 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
1651 *ret_exit_status = EXIT_NAMESPACE;
1652 return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m");
1653 }
1654
1655 log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
1656 }
1657 } else
1658 log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
1659
1660#if HAVE_SECCOMP
8f3e342f
ZJS		 1661 int r;
1662
daf8f72b
LP		 1663 if (skip_seccomp_unavailable(u, "ProtectHostname="))
1664 return 0;
1665
1666 r = seccomp_protect_hostname();
1667 if (r < 0) {
1668 *ret_exit_status = EXIT_SECCOMP;
1669 return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m");
1670 }
1671#endif
1672
1673 return 0;
1674}
1675
3042bbeb 1676static void do_idle_pipe_dance(int idle_pipe[static 4]) {
31a7eb86
ZJS		 1677 assert(idle_pipe);
1678
54eb2300
LP		 1679 idle_pipe[1] = safe_close(idle_pipe[1]);
1680 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1681
1682 if (idle_pipe[0] >= 0) {
1683 int r;
1684
1685 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1686
1687 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1688 ssize_t n;
1689
31a7eb86 1690 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1691 n = write(idle_pipe[3], "x", 1);
1692 if (n > 0)
cd972d69 1693 /* Wait for systemd to react to the signal above. */
54756dce 1694 (void) fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1695 }
1696
54eb2300 1697 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1698
1699 }
1700
54eb2300 1701 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1702}
1703
fb2042dd
YW		 1704static const char *exec_directory_env_name_to_string(ExecDirectoryType t);
1705
7cae38c4 1706static int build_environment(
34cf6c43 1707 const Unit *u,
9fa95f85 1708 const ExecContext *c,
1e22b5cd 1709 const ExecParameters *p,
da6053d0 1710 size_t n_fds,
7cae38c4
LP		 1711 const char *home,
1712 const char *username,
1713 const char *shell,
7bce046b
LP		 1714 dev_t journal_stream_dev,
1715 ino_t journal_stream_ino,
7cae38c4
LP		 1716 char ***ret) {
1717
1718 _cleanup_strv_free_ char **our_env = NULL;
fb2042dd 1719 ExecDirectoryType t;
da6053d0 1720 size_t n_env = 0;
7cae38c4
LP		 1721 char *x;
1722
4b58153d 1723 assert(u);
7cae38c4 1724 assert(c);
7c1cb6f1 1725 assert(p);
7cae38c4
LP		 1726 assert(ret);
1727
8d5bb13d
LP		 1728#define N_ENV_VARS 15
1729 our_env = new0(char*, N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4
LP		 1730 if (!our_env)
1731 return -ENOMEM;
1732
1733 if (n_fds > 0) {
8dd4c05b
LP		 1734 _cleanup_free_ char *joined = NULL;
1735
df0ff127 1736 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1737 return -ENOMEM;
1738 our_env[n_env++] = x;
1739
da6053d0 1740 if (asprintf(&x, "LISTEN_FDS=%zu", n_fds) < 0)
7cae38c4
LP		 1741 return -ENOMEM;
1742 our_env[n_env++] = x;
8dd4c05b 1743
1e22b5cd 1744 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1745 if (!joined)
1746 return -ENOMEM;
1747
605405c6 1748 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1749 if (!x)
1750 return -ENOMEM;
1751 our_env[n_env++] = x;
7cae38c4
LP		 1752 }
1753
b08af3b1 1754 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1755 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1756 return -ENOMEM;
1757 our_env[n_env++] = x;
1758
1e22b5cd 1759 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1760 return -ENOMEM;
1761 our_env[n_env++] = x;
1762 }
1763
fd63e712
LP		 1764 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1765 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1766 * check the database directly. */
ac647978 1767 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1768 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1769 if (!x)
1770 return -ENOMEM;
1771 our_env[n_env++] = x;
1772 }
1773
7cae38c4 1774 if (home) {
b910cc72 1775 x = strjoin("HOME=", home);
7cae38c4
LP		 1776 if (!x)
1777 return -ENOMEM;
7bbead1d
LP		 1778
1779 path_simplify(x + 5, true);
7cae38c4
LP		 1780 our_env[n_env++] = x;
1781 }
1782
1783 if (username) {
b910cc72 1784 x = strjoin("LOGNAME=", username);
7cae38c4
LP		 1785 if (!x)
1786 return -ENOMEM;
1787 our_env[n_env++] = x;
1788
b910cc72 1789 x = strjoin("USER=", username);
7cae38c4
LP		 1790 if (!x)
1791 return -ENOMEM;
1792 our_env[n_env++] = x;
1793 }
1794
1795 if (shell) {
b910cc72 1796 x = strjoin("SHELL=", shell);
7cae38c4
LP		 1797 if (!x)
1798 return -ENOMEM;
7bbead1d
LP		 1799
1800 path_simplify(x + 6, true);
7cae38c4
LP		 1801 our_env[n_env++] = x;
1802 }
1803
4b58153d
LP		 1804 if (!sd_id128_is_null(u->invocation_id)) {
1805 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1806 return -ENOMEM;
1807
1808 our_env[n_env++] = x;
1809 }
1810
6af760f3
LP		 1811 if (exec_context_needs_term(c)) {
1812 const char *tty_path, *term = NULL;
1813
1814 tty_path = exec_context_tty_path(c);
1815
e8cf09b2
LP		 1816 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try
1817 * to inherit the $TERM set for PID 1. This is useful for containers so that the $TERM the
1818 * container manager passes to PID 1 ends up all the way in the console login shown. */
6af760f3 1819
e8cf09b2 1820 if (path_equal_ptr(tty_path, "/dev/console") && getppid() == 1)
6af760f3 1821 term = getenv("TERM");
e8cf09b2 1822
6af760f3
LP		 1823 if (!term)
1824 term = default_term_for_tty(tty_path);
7cae38c4 1825
b910cc72 1826 x = strjoin("TERM=", term);
7cae38c4
LP		 1827 if (!x)
1828 return -ENOMEM;
1829 our_env[n_env++] = x;
1830 }
1831
7bce046b
LP		 1832 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1833 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1834 return -ENOMEM;
1835
1836 our_env[n_env++] = x;
1837 }
1838
91dd5f7c
LP		 1839 if (c->log_namespace) {
1840 x = strjoin("LOG_NAMESPACE=", c->log_namespace);
1841 if (!x)
1842 return -ENOMEM;
1843
1844 our_env[n_env++] = x;
1845 }
1846
fb2042dd
YW		 1847 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1848 _cleanup_free_ char *pre = NULL, *joined = NULL;
1849 const char *n;
1850
1851 if (!p->prefix[t])
1852 continue;
1853
1854 if (strv_isempty(c->directories[t].paths))
1855 continue;
1856
1857 n = exec_directory_env_name_to_string(t);
1858 if (!n)
1859 continue;
1860
1861 pre = strjoin(p->prefix[t], "/");
1862 if (!pre)
1863 return -ENOMEM;
1864
1865 joined = strv_join_prefix(c->directories[t].paths, ":", pre);
1866 if (!joined)
1867 return -ENOMEM;
1868
1869 x = strjoin(n, "=", joined);
1870 if (!x)
1871 return -ENOMEM;
1872
1873 our_env[n_env++] = x;
1874 }
1875
7cae38c4 1876 our_env[n_env++] = NULL;
8d5bb13d
LP		 1877 assert(n_env <= N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
1878#undef N_ENV_VARS
7cae38c4 1879
ae2a15bc 1880 *ret = TAKE_PTR(our_env);
7cae38c4
LP		 1881
1882 return 0;
1883}
1884
b4c14404
FB		 1885static int build_pass_environment(const ExecContext *c, char ***ret) {
1886 _cleanup_strv_free_ char **pass_env = NULL;
1887 size_t n_env = 0, n_bufsize = 0;
1888 char **i;
1889
1890 STRV_FOREACH(i, c->pass_environment) {
1891 _cleanup_free_ char *x = NULL;
1892 char *v;
1893
1894 v = getenv(*i);
1895 if (!v)
1896 continue;
605405c6 1897 x = strjoin(*i, "=", v);
b4c14404
FB		 1898 if (!x)
1899 return -ENOMEM;
00819cc1 1900
b4c14404
FB		 1901 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1902 return -ENOMEM;
00819cc1 1903
1cc6c93a 1904 pass_env[n_env++] = TAKE_PTR(x);
b4c14404 1905 pass_env[n_env] = NULL;
b4c14404
FB		 1906 }
1907
ae2a15bc 1908 *ret = TAKE_PTR(pass_env);
b4c14404
FB		 1909
1910 return 0;
1911}
1912
8b44a3d2
LP		 1913static bool exec_needs_mount_namespace(
1914 const ExecContext *context,
1915 const ExecParameters *params,
4657abb5 1916 const ExecRuntime *runtime) {
8b44a3d2
LP		 1917
1918 assert(context);
1919 assert(params);
1920
915e6d16
LP		 1921 if (context->root_image)
1922 return true;
1923
2a624c36
AP		 1924 if (!strv_isempty(context->read_write_paths) ||
1925 !strv_isempty(context->read_only_paths) ||
1926 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1927 return true;
1928
42b1d8e0 1929 if (context->n_bind_mounts > 0)
d2d6c096
LP		 1930 return true;
1931
2abd4e38
YW		 1932 if (context->n_temporary_filesystems > 0)
1933 return true;
1934
b3d13314
LB		 1935 if (context->n_mount_images > 0)
1936 return true;
1937
37ed15d7 1938 if (!IN_SET(context->mount_flags, 0, MS_SHARED))
8b44a3d2
LP		 1939 return true;
1940
1941 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1942 return true;
1943
8b44a3d2 1944 if (context->private_devices ||
228af36f 1945 context->private_mounts ||
8b44a3d2 1946 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1947 context->protect_home != PROTECT_HOME_NO ||
1948 context->protect_kernel_tunables ||
c575770b 1949 context->protect_kernel_modules ||
94a7b275 1950 context->protect_kernel_logs ||
59eeb84b 1951 context->protect_control_groups)
8b44a3d2
LP		 1952 return true;
1953
37c56f89
YW		 1954 if (context->root_directory) {
1955 ExecDirectoryType t;
1956
1957 if (context->mount_apivfs)
1958 return true;
1959
1960 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1961 if (!params->prefix[t])
1962 continue;
1963
1964 if (!strv_isempty(context->directories[t].paths))
1965 return true;
1966 }
1967 }
5d997827 1968
42b1d8e0 1969 if (context->dynamic_user &&
b43ee82f 1970 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 1971 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
1972 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
1973 return true;
1974
91dd5f7c
LP		 1975 if (context->log_namespace)
1976 return true;
1977
8b44a3d2
LP		 1978 return false;
1979}
1980
5749f855 1981static int setup_private_users(uid_t ouid, gid_t ogid, uid_t uid, gid_t gid) {
d251207d
LP		 1982 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1983 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1984 _cleanup_close_ int unshare_ready_fd = -1;
1985 _cleanup_(sigkill_waitp) pid_t pid = 0;
1986 uint64_t c = 1;
d251207d
LP		 1987 ssize_t n;
1988 int r;
1989
5749f855
AZ		 1990 /* Set up a user namespace and map the original UID/GID (IDs from before any user or group changes, i.e.
1991 * the IDs from the user or system manager(s)) to itself, the selected UID/GID to itself, and everything else to
d251207d
LP		 1992 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1993 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1994 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1995 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
5749f855
AZ		 1996 * continues execution normally.
1997 * For unprivileged users (i.e. without capabilities), the root to root mapping is excluded. As such, it
1998 * does not need CAP_SETUID to write the single line mapping to itself. */
d251207d 1999
5749f855
AZ		 2000 /* Can only set up multiple mappings with CAP_SETUID. */
2001 if (have_effective_cap(CAP_SETUID) && uid != ouid && uid_is_valid(uid))
587ab01b 2002 r = asprintf(&uid_map,
5749f855 2003 UID_FMT " " UID_FMT " 1\n" /* Map $OUID → $OUID */
587ab01b 2004 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
5749f855
AZ		 2005 ouid, ouid, uid, uid);
2006 else
2007 r = asprintf(&uid_map,
2008 UID_FMT " " UID_FMT " 1\n", /* Map $OUID → $OUID */
2009 ouid, ouid);
d251207d 2010
5749f855
AZ		 2011 if (r < 0)
2012 return -ENOMEM;
2013
2014 /* Can only set up multiple mappings with CAP_SETGID. */
2015 if (have_effective_cap(CAP_SETGID) && gid != ogid && gid_is_valid(gid))
587ab01b 2016 r = asprintf(&gid_map,
5749f855 2017 GID_FMT " " GID_FMT " 1\n" /* Map $OGID → $OGID */
587ab01b 2018 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
5749f855
AZ		 2019 ogid, ogid, gid, gid);
2020 else
2021 r = asprintf(&gid_map,
2022 GID_FMT " " GID_FMT " 1\n", /* Map $OGID -> $OGID */
2023 ogid, ogid);
2024
2025 if (r < 0)
2026 return -ENOMEM;
d251207d
LP		 2027
2028 /* Create a communication channel so that the parent can tell the child when it finished creating the user
2029 * namespace. */
2030 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
2031 if (unshare_ready_fd < 0)
2032 return -errno;
2033
2034 /* Create a communication channel so that the child can tell the parent a proper error code in case it
2035 * failed. */
2036 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
2037 return -errno;
2038
4c253ed1
LP		 2039 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
2040 if (r < 0)
2041 return r;
2042 if (r == 0) {
d251207d
LP		 2043 _cleanup_close_ int fd = -1;
2044 const char *a;
2045 pid_t ppid;
2046
2047 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
2048 * here, after the parent opened its own user namespace. */
2049
2050 ppid = getppid();
2051 errno_pipe[0] = safe_close(errno_pipe[0]);
2052
2053 /* Wait until the parent unshared the user namespace */
2054 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
2055 r = -errno;
2056 goto child_fail;
2057 }
2058
2059 /* Disable the setgroups() system call in the child user namespace, for good. */
2060 a = procfs_file_alloca(ppid, "setgroups");
2061 fd = open(a, O_WRONLY|O_CLOEXEC);
2062 if (fd < 0) {
2063 if (errno != ENOENT) {
2064 r = -errno;
2065 goto child_fail;
2066 }
2067
2068 /* If the file is missing the kernel is too old, let's continue anyway. */
2069 } else {
2070 if (write(fd, "deny\n", 5) < 0) {
2071 r = -errno;
2072 goto child_fail;
2073 }
2074
2075 fd = safe_close(fd);
2076 }
2077
2078 /* First write the GID map */
2079 a = procfs_file_alloca(ppid, "gid_map");
2080 fd = open(a, O_WRONLY|O_CLOEXEC);
2081 if (fd < 0) {
2082 r = -errno;
2083 goto child_fail;
2084 }
2085 if (write(fd, gid_map, strlen(gid_map)) < 0) {
2086 r = -errno;
2087 goto child_fail;
2088 }
2089 fd = safe_close(fd);
2090
2091 /* The write the UID map */
2092 a = procfs_file_alloca(ppid, "uid_map");
2093 fd = open(a, O_WRONLY|O_CLOEXEC);
2094 if (fd < 0) {
2095 r = -errno;
2096 goto child_fail;
2097 }
2098 if (write(fd, uid_map, strlen(uid_map)) < 0) {
2099 r = -errno;
2100 goto child_fail;
2101 }
2102
2103 _exit(EXIT_SUCCESS);
2104
2105 child_fail:
2106 (void) write(errno_pipe[1], &r, sizeof(r));
2107 _exit(EXIT_FAILURE);
2108 }
2109
2110 errno_pipe[1] = safe_close(errno_pipe[1]);
2111
2112 if (unshare(CLONE_NEWUSER) < 0)
2113 return -errno;
2114
2115 /* Let the child know that the namespace is ready now */
2116 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
2117 return -errno;
2118
2119 /* Try to read an error code from the child */
2120 n = read(errno_pipe[0], &r, sizeof(r));
2121 if (n < 0)
2122 return -errno;
2123 if (n == sizeof(r)) { /* an error code was sent to us */
2124 if (r < 0)
2125 return r;
2126 return -EIO;
2127 }
2128 if (n != 0) /* on success we should have read 0 bytes */
2129 return -EIO;
2130
2e87a1fd
LP		 2131 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
2132 pid = 0;
d251207d
LP		 2133 if (r < 0)
2134 return r;
2e87a1fd 2135 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 2136 return -EIO;
2137
2138 return 0;
2139}
2140
494d0247
YW		 2141static bool exec_directory_is_private(const ExecContext *context, ExecDirectoryType type) {
2142 if (!context->dynamic_user)
2143 return false;
2144
2145 if (type == EXEC_DIRECTORY_CONFIGURATION)
2146 return false;
2147
2148 if (type == EXEC_DIRECTORY_RUNTIME && context->runtime_directory_preserve_mode == EXEC_PRESERVE_NO)
2149 return false;
2150
2151 return true;
2152}
2153
3536f49e 2154static int setup_exec_directory(
07689d5d
LP		 2155 const ExecContext *context,
2156 const ExecParameters *params,
2157 uid_t uid,
3536f49e 2158 gid_t gid,
3536f49e
YW		 2159 ExecDirectoryType type,
2160 int *exit_status) {
07689d5d 2161
72fd1768 2162 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 2163 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
2164 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
2165 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
2166 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
2167 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
2168 };
07689d5d
LP		 2169 char **rt;
2170 int r;
2171
2172 assert(context);
2173 assert(params);
72fd1768 2174 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 2175 assert(exit_status);
07689d5d 2176
3536f49e
YW		 2177 if (!params->prefix[type])
2178 return 0;
2179
8679efde 2180 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2181 if (!uid_is_valid(uid))
2182 uid = 0;
2183 if (!gid_is_valid(gid))
2184 gid = 0;
2185 }
2186
2187 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d 2188 _cleanup_free_ char *p = NULL, *pp = NULL;
07689d5d 2189
edbfeb12 2190 p = path_join(params->prefix[type], *rt);
3536f49e
YW		 2191 if (!p) {
2192 r = -ENOMEM;
2193 goto fail;
2194 }
07689d5d 2195
23a7448e
YW		 2196 r = mkdir_parents_label(p, 0755);
2197 if (r < 0)
3536f49e 2198 goto fail;
23a7448e 2199
494d0247 2200 if (exec_directory_is_private(context, type)) {
6c9c51e5 2201 _cleanup_free_ char *private_root = NULL;
6c47cd7d 2202
3f5b1508
LP		 2203 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that
2204 * case we want to avoid leaving a directory around fully accessible that is owned by
2205 * a dynamic user whose UID is later on reused. To lock this down we use the same
2206 * trick used by container managers to prohibit host users to get access to files of
2207 * the same UID in containers: we place everything inside a directory that has an
2208 * access mode of 0700 and is owned root:root, so that it acts as security boundary
2209 * for unprivileged host code. We then use fs namespacing to make this directory
2210 * permeable for the service itself.
6c47cd7d 2211 *
3f5b1508
LP		 2212 * Specifically: for a service which wants a special directory "foo/" we first create
2213 * a directory "private/" with access mode 0700 owned by root:root. Then we place
2214 * "foo" inside of that directory (i.e. "private/foo/"), and make "foo" a symlink to
2215 * "private/foo". This way, privileged host users can access "foo/" as usual, but
2216 * unprivileged host users can't look into it. Inside of the namespace of the unit
2217 * "private/" is replaced by a more liberally accessible tmpfs, into which the host's
2218 * "private/foo/" is mounted under the same name, thus disabling the access boundary
2219 * for the service and making sure it only gets access to the dirs it needs but no
2220 * others. Tricky? Yes, absolutely, but it works!
6c47cd7d 2221 *
3f5b1508
LP		 2222 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not
2223 * to be owned by the service itself.
2224 *
2225 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used
2226 * for sharing files or sockets with other services. */
6c47cd7d 2227
edbfeb12 2228 private_root = path_join(params->prefix[type], "private");
6c47cd7d
LP		 2229 if (!private_root) {
2230 r = -ENOMEM;
2231 goto fail;
2232 }
2233
2234 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
37c1d5e9 2235 r = mkdir_safe_label(private_root, 0700, 0, 0, MKDIR_WARN_MODE);
6c47cd7d
LP		 2236 if (r < 0)
2237 goto fail;
2238
edbfeb12 2239 pp = path_join(private_root, *rt);
6c47cd7d
LP		 2240 if (!pp) {
2241 r = -ENOMEM;
2242 goto fail;
2243 }
2244
2245 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2246 r = mkdir_parents_label(pp, 0755);
2247 if (r < 0)
2248 goto fail;
2249
949befd3
LP		 2250 if (is_dir(p, false) > 0 &&
2251 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2252
2253 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2254 * it over. Most likely the service has been upgraded from one that didn't use
2255 * DynamicUser=1, to one that does. */
2256
cf52c45d
LP		 2257 log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
2258 "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
2259 exec_directory_type_to_string(type), p, pp);
2260
949befd3
LP		 2261 if (rename(p, pp) < 0) {
2262 r = -errno;
2263 goto fail;
2264 }
2265 } else {
2266 /* Otherwise, create the actual directory for the service */
2267
2268 r = mkdir_label(pp, context->directories[type].mode);
2269 if (r < 0 && r != -EEXIST)
2270 goto fail;
2271 }
6c47cd7d 2272
6c47cd7d 2273 /* And link it up from the original place */
6c9c51e5 2274 r = symlink_idempotent(pp, p, true);
6c47cd7d
LP		 2275 if (r < 0)
2276 goto fail;
2277
6c47cd7d 2278 } else {
5c6d40d1
LP		 2279 _cleanup_free_ char *target = NULL;
2280
2281 if (type != EXEC_DIRECTORY_CONFIGURATION &&
2282 readlink_and_make_absolute(p, &target) >= 0) {
578dc69f 2283 _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
5c6d40d1
LP		 2284
2285 /* This already exists and is a symlink? Interesting. Maybe it's one created
2193f17c
LP		 2286 * by DynamicUser=1 (see above)?
2287 *
2288 * We do this for all directory types except for ConfigurationDirectory=,
2289 * since they all support the private/ symlink logic at least in some
2290 * configurations, see above. */
5c6d40d1 2291
578dc69f
YW		 2292 r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
2293 if (r < 0)
2294 goto fail;
2295
5c6d40d1
LP		 2296 q = path_join(params->prefix[type], "private", *rt);
2297 if (!q) {
2298 r = -ENOMEM;
2299 goto fail;
2300 }
2301
578dc69f
YW		 2302 /* /var/lib or friends may be symlinks. So, let's chase them also. */
2303 r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
2304 if (r < 0)
2305 goto fail;
2306
2307 if (path_equal(q_resolved, target_resolved)) {
5c6d40d1
LP		 2308
2309 /* Hmm, apparently DynamicUser= was once turned on for this service,
2310 * but is no longer. Let's move the directory back up. */
2311
cf52c45d
LP		 2312 log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
2313 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
2314 exec_directory_type_to_string(type), q, p);
2315
5c6d40d1
LP		 2316 if (unlink(p) < 0) {
2317 r = -errno;
2318 goto fail;
2319 }
2320
2321 if (rename(q, p) < 0) {
2322 r = -errno;
2323 goto fail;
2324 }
2325 }
2326 }
2327
6c47cd7d 2328 r = mkdir_label(p, context->directories[type].mode);
d484580c 2329 if (r < 0) {
d484580c
LP		 2330 if (r != -EEXIST)
2331 goto fail;
2332
206e9864
LP		 2333 if (type == EXEC_DIRECTORY_CONFIGURATION) {
2334 struct stat st;
2335
2336 /* Don't change the owner/access mode of the configuration directory,
2337 * as in the common case it is not written to by a service, and shall
2338 * not be writable. */
2339
2340 if (stat(p, &st) < 0) {
2341 r = -errno;
2342 goto fail;
2343 }
2344
2345 /* Still complain if the access mode doesn't match */
2346 if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
2347 log_warning("%s \'%s\' already exists but the mode is different. "
2348 "(File system: %o %sMode: %o)",
2349 exec_directory_type_to_string(type), *rt,
2350 st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
2351
6cff72eb 2352 continue;
206e9864 2353 }
6cff72eb 2354 }
a1164ae3 2355 }
07689d5d 2356
206e9864 2357 /* Lock down the access mode (we use chmod_and_chown() to make this idempotent. We don't
5238e957 2358 * specify UID/GID here, so that path_chown_recursive() can optimize things depending on the
206e9864
LP		 2359 * current UID/GID ownership.) */
2360 r = chmod_and_chown(pp ?: p, context->directories[type].mode, UID_INVALID, GID_INVALID);
2361 if (r < 0)
2362 goto fail;
c71b2eb7 2363
607b358e
LP		 2364 /* Then, change the ownership of the whole tree, if necessary. When dynamic users are used we
2365 * drop the suid/sgid bits, since we really don't want SUID/SGID files for dynamic UID/GID
2366 * assignments to exist.*/
2367 r = path_chown_recursive(pp ?: p, uid, gid, context->dynamic_user ? 01777 : 07777);
07689d5d 2368 if (r < 0)
3536f49e 2369 goto fail;
07689d5d
LP		 2370 }
2371
2372 return 0;
3536f49e
YW		 2373
2374fail:
2375 *exit_status = exit_status_table[type];
3536f49e 2376 return r;
07689d5d
LP		 2377}
2378
92b423b9 2379#if ENABLE_SMACK
cefc33ae
LP		 2380static int setup_smack(
2381 const ExecContext *context,
2382 const ExecCommand *command) {
2383
cefc33ae
LP		 2384 int r;
2385
2386 assert(context);
2387 assert(command);
2388
cefc33ae
LP		 2389 if (context->smack_process_label) {
2390 r = mac_smack_apply_pid(0, context->smack_process_label);
2391 if (r < 0)
2392 return r;
2393 }
2394#ifdef SMACK_DEFAULT_PROCESS_LABEL
2395 else {
2396 _cleanup_free_ char *exec_label = NULL;
2397
2398 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
4c701096 2399 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2400 return r;
2401
2402 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2403 if (r < 0)
2404 return r;
2405 }
cefc33ae
LP		 2406#endif
2407
2408 return 0;
2409}
92b423b9 2410#endif
cefc33ae 2411
6c47cd7d
LP		 2412static int compile_bind_mounts(
2413 const ExecContext *context,
2414 const ExecParameters *params,
2415 BindMount **ret_bind_mounts,
da6053d0 2416 size_t *ret_n_bind_mounts,
6c47cd7d
LP		 2417 char ***ret_empty_directories) {
2418
2419 _cleanup_strv_free_ char **empty_directories = NULL;
2420 BindMount *bind_mounts;
da6053d0 2421 size_t n, h = 0, i;
6c47cd7d
LP		 2422 ExecDirectoryType t;
2423 int r;
2424
2425 assert(context);
2426 assert(params);
2427 assert(ret_bind_mounts);
2428 assert(ret_n_bind_mounts);
2429 assert(ret_empty_directories);
2430
2431 n = context->n_bind_mounts;
2432 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2433 if (!params->prefix[t])
2434 continue;
2435
2436 n += strv_length(context->directories[t].paths);
2437 }
2438
2439 if (n <= 0) {
2440 *ret_bind_mounts = NULL;
2441 *ret_n_bind_mounts = 0;
2442 *ret_empty_directories = NULL;
2443 return 0;
2444 }
2445
2446 bind_mounts = new(BindMount, n);
2447 if (!bind_mounts)
2448 return -ENOMEM;
2449
a8cabc61 2450 for (i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2451 BindMount *item = context->bind_mounts + i;
2452 char *s, *d;
2453
2454 s = strdup(item->source);
2455 if (!s) {
2456 r = -ENOMEM;
2457 goto finish;
2458 }
2459
2460 d = strdup(item->destination);
2461 if (!d) {
2462 free(s);
2463 r = -ENOMEM;
2464 goto finish;
2465 }
2466
2467 bind_mounts[h++] = (BindMount) {
2468 .source = s,
2469 .destination = d,
2470 .read_only = item->read_only,
2471 .recursive = item->recursive,
2472 .ignore_enoent = item->ignore_enoent,
2473 };
2474 }
2475
2476 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2477 char **suffix;
2478
2479 if (!params->prefix[t])
2480 continue;
2481
2482 if (strv_isempty(context->directories[t].paths))
2483 continue;
2484
494d0247 2485 if (exec_directory_is_private(context, t) &&
5609f688 2486 !(context->root_directory || context->root_image)) {
6c47cd7d
LP		 2487 char *private_root;
2488
2489 /* So this is for a dynamic user, and we need to make sure the process can access its own
2490 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
2491 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
2492
657ee2d8 2493 private_root = path_join(params->prefix[t], "private");
6c47cd7d
LP		 2494 if (!private_root) {
2495 r = -ENOMEM;
2496 goto finish;
2497 }
2498
2499 r = strv_consume(&empty_directories, private_root);
a635a7ae 2500 if (r < 0)
6c47cd7d 2501 goto finish;
6c47cd7d
LP		 2502 }
2503
2504 STRV_FOREACH(suffix, context->directories[t].paths) {
2505 char *s, *d;
2506
494d0247 2507 if (exec_directory_is_private(context, t))
657ee2d8 2508 s = path_join(params->prefix[t], "private", *suffix);
6c47cd7d 2509 else
657ee2d8 2510 s = path_join(params->prefix[t], *suffix);
6c47cd7d
LP		 2511 if (!s) {
2512 r = -ENOMEM;
2513 goto finish;
2514 }
2515
494d0247 2516 if (exec_directory_is_private(context, t) &&
5609f688
YW		 2517 (context->root_directory || context->root_image))
2518 /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
2519 * directory is not created on the root directory. So, let's bind-mount the directory
2520 * on the 'non-private' place. */
657ee2d8 2521 d = path_join(params->prefix[t], *suffix);
5609f688
YW		 2522 else
2523 d = strdup(s);
6c47cd7d
LP		 2524 if (!d) {
2525 free(s);
2526 r = -ENOMEM;
2527 goto finish;
2528 }
2529
2530 bind_mounts[h++] = (BindMount) {
2531 .source = s,
2532 .destination = d,
2533 .read_only = false,
9ce4e4b0 2534 .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
6c47cd7d
LP		 2535 .recursive = true,
2536 .ignore_enoent = false,
2537 };
2538 }
2539 }
2540
2541 assert(h == n);
2542
2543 *ret_bind_mounts = bind_mounts;
2544 *ret_n_bind_mounts = n;
ae2a15bc 2545 *ret_empty_directories = TAKE_PTR(empty_directories);
6c47cd7d
LP		 2546
2547 return (int) n;
2548
2549finish:
2550 bind_mount_free_many(bind_mounts, h);
2551 return r;
2552}
2553
4e677599
LP		 2554static bool insist_on_sandboxing(
2555 const ExecContext *context,
2556 const char *root_dir,
2557 const char *root_image,
2558 const BindMount *bind_mounts,
2559 size_t n_bind_mounts) {
2560
2561 size_t i;
2562
2563 assert(context);
2564 assert(n_bind_mounts == 0 || bind_mounts);
2565
2566 /* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
86b52a39 2567 * would alter the view on the file system beyond making things read-only or invisible, i.e. would
4e677599
LP		 2568 * rearrange stuff in a way we cannot ignore gracefully. */
2569
2570 if (context->n_temporary_filesystems > 0)
2571 return true;
2572
2573 if (root_dir || root_image)
2574 return true;
2575
b3d13314
LB		 2576 if (context->n_mount_images > 0)
2577 return true;
2578
4e677599
LP		 2579 if (context->dynamic_user)
2580 return true;
2581
2582 /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
2583 * essential. */
2584 for (i = 0; i < n_bind_mounts; i++)
2585 if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
2586 return true;
2587
91dd5f7c
LP		 2588 if (context->log_namespace)
2589 return true;
2590
4e677599
LP		 2591 return false;
2592}
2593
6818c54c 2594static int apply_mount_namespace(
34cf6c43
YW		 2595 const Unit *u,
2596 const ExecCommand *command,
6818c54c
LP		 2597 const ExecContext *context,
2598 const ExecParameters *params,
7cc5ef5f
ZJS		 2599 const ExecRuntime *runtime,
2600 char **error_path) {
6818c54c 2601
7bcef4ef 2602 _cleanup_strv_free_ char **empty_directories = NULL;
56a13a49 2603 const char *tmp_dir = NULL, *var_tmp_dir = NULL;
915e6d16 2604 const char *root_dir = NULL, *root_image = NULL;
228af36f 2605 NamespaceInfo ns_info;
165a31c0 2606 bool needs_sandboxing;
6c47cd7d 2607 BindMount *bind_mounts = NULL;
da6053d0 2608 size_t n_bind_mounts = 0;
6818c54c 2609 int r;
93c6bb51 2610
2b3c1b9e
DH		 2611 assert(context);
2612
915e6d16
LP		 2613 if (params->flags & EXEC_APPLY_CHROOT) {
2614 root_image = context->root_image;
2615
2616 if (!root_image)
2617 root_dir = context->root_directory;
2618 }
93c6bb51 2619
6c47cd7d
LP		 2620 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
2621 if (r < 0)
2622 return r;
2623
165a31c0 2624 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
ecf63c91
NJ		 2625 if (needs_sandboxing) {
2626 /* The runtime struct only contains the parent of the private /tmp,
2627 * which is non-accessible to world users. Inside of it there's a /tmp
56a13a49
ZJS		 2628 * that is sticky, and that's the one we want to use here.
2629 * This does not apply when we are using /run/systemd/empty as fallback. */
ecf63c91
NJ		 2630
2631 if (context->private_tmp && runtime) {
56a13a49
ZJS		 2632 if (streq_ptr(runtime->tmp_dir, RUN_SYSTEMD_EMPTY))
2633 tmp_dir = runtime->tmp_dir;
2634 else if (runtime->tmp_dir)
2635 tmp_dir = strjoina(runtime->tmp_dir, "/tmp");
2636
2637 if (streq_ptr(runtime->var_tmp_dir, RUN_SYSTEMD_EMPTY))
2638 var_tmp_dir = runtime->var_tmp_dir;
f63ef937 2639 else if (runtime->var_tmp_dir)
56a13a49 2640 var_tmp_dir = strjoina(runtime->var_tmp_dir, "/tmp");
ecf63c91
NJ		 2641 }
2642
b5a33299
YW		 2643 ns_info = (NamespaceInfo) {
2644 .ignore_protect_paths = false,
2645 .private_dev = context->private_devices,
2646 .protect_control_groups = context->protect_control_groups,
2647 .protect_kernel_tunables = context->protect_kernel_tunables,
2648 .protect_kernel_modules = context->protect_kernel_modules,
94a7b275 2649 .protect_kernel_logs = context->protect_kernel_logs,
aecd5ac6 2650 .protect_hostname = context->protect_hostname,
b5a33299 2651 .mount_apivfs = context->mount_apivfs,
228af36f 2652 .private_mounts = context->private_mounts,
b5a33299 2653 };
ecf63c91 2654 } else if (!context->dynamic_user && root_dir)
228af36f
LP		 2655 /*
2656 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2657 * sandbox info, otherwise enforce it, don't ignore protected paths and
2658 * fail if we are enable to apply the sandbox inside the mount namespace.
2659 */
2660 ns_info = (NamespaceInfo) {
2661 .ignore_protect_paths = true,
2662 };
2663 else
2664 ns_info = (NamespaceInfo) {};
b5a33299 2665
37ed15d7
FB		 2666 if (context->mount_flags == MS_SHARED)
2667 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
2668
18d73705 2669 r = setup_namespace(root_dir, root_image, context->root_image_options,
7bcef4ef 2670 &ns_info, context->read_write_paths,
165a31c0
LP		 2671 needs_sandboxing ? context->read_only_paths : NULL,
2672 needs_sandboxing ? context->inaccessible_paths : NULL,
6c47cd7d
LP		 2673 empty_directories,
2674 bind_mounts,
2675 n_bind_mounts,
2abd4e38
YW		 2676 context->temporary_filesystems,
2677 context->n_temporary_filesystems,
b3d13314
LB		 2678 context->mount_images,
2679 context->n_mount_images,
56a13a49
ZJS		 2680 tmp_dir,
2681 var_tmp_dir,
91dd5f7c 2682 context->log_namespace,
165a31c0
LP		 2683 needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2684 needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16 2685 context->mount_flags,
d4d55b0d
LB		 2686 context->root_hash, context->root_hash_size, context->root_hash_path,
2687 context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
2688 context->root_verity,
8d251485 2689 DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
7cc5ef5f 2690 error_path);
93c6bb51 2691
1beab8b0 2692 /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
5238e957 2693 * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
1beab8b0
LP		 2694 * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
2695 * completely different execution environment. */
aca835ed 2696 if (r == -ENOANO) {
4e677599
LP		 2697 if (insist_on_sandboxing(
2698 context,
2699 root_dir, root_image,
2700 bind_mounts,
2701 n_bind_mounts)) {
2702 log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
2703 "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
2704 n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
2705
2706 r = -EOPNOTSUPP;
2707 } else {
aca835ed 2708 log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
4e677599 2709 r = 0;
aca835ed 2710 }
93c6bb51
DH		 2711 }
2712
4e677599 2713 bind_mount_free_many(bind_mounts, n_bind_mounts);
93c6bb51
DH		 2714 return r;
2715}
2716
915e6d16
LP		 2717static int apply_working_directory(
2718 const ExecContext *context,
2719 const ExecParameters *params,
2720 const char *home,
376fecf6 2721 int *exit_status) {
915e6d16 2722
6732edab 2723 const char *d, *wd;
2b3c1b9e
DH		 2724
2725 assert(context);
376fecf6 2726 assert(exit_status);
2b3c1b9e 2727
6732edab
LP		 2728 if (context->working_directory_home) {
2729
376fecf6
LP		 2730 if (!home) {
2731 *exit_status = EXIT_CHDIR;
6732edab 2732 return -ENXIO;
376fecf6 2733 }
6732edab 2734
2b3c1b9e 2735 wd = home;
6732edab
LP		 2736
2737 } else if (context->working_directory)
2b3c1b9e
DH		 2738 wd = context->working_directory;
2739 else
2740 wd = "/";
e7f1e7c6 2741
fa97f630 2742 if (params->flags & EXEC_APPLY_CHROOT)
2b3c1b9e 2743 d = wd;
fa97f630 2744 else
3b0e5bb5 2745 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2746
376fecf6
LP		 2747 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2748 *exit_status = EXIT_CHDIR;
2b3c1b9e 2749 return -errno;
376fecf6 2750 }
e7f1e7c6
DH		 2751
2752 return 0;
2753}
2754
fa97f630
JB		 2755static int apply_root_directory(
2756 const ExecContext *context,
2757 const ExecParameters *params,
2758 const bool needs_mount_ns,
2759 int *exit_status) {
2760
2761 assert(context);
2762 assert(exit_status);
2763
2764 if (params->flags & EXEC_APPLY_CHROOT) {
2765 if (!needs_mount_ns && context->root_directory)
2766 if (chroot(context->root_directory) < 0) {
2767 *exit_status = EXIT_CHROOT;
2768 return -errno;
2769 }
2770 }
2771
2772 return 0;
2773}
2774
b1edf445 2775static int setup_keyring(
34cf6c43 2776 const Unit *u,
b1edf445
LP		 2777 const ExecContext *context,
2778 const ExecParameters *p,
2779 uid_t uid, gid_t gid) {
2780
74dd6b51 2781 key_serial_t keyring;
e64c2d0b
DJL		 2782 int r = 0;
2783 uid_t saved_uid;
2784 gid_t saved_gid;
74dd6b51
LP		 2785
2786 assert(u);
b1edf445 2787 assert(context);
74dd6b51
LP		 2788 assert(p);
2789
2790 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2791 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2792 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2793 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2794 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2795 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2796
b1edf445
LP		 2797 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
2798 return 0;
2799
e64c2d0b
DJL		 2800 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up
2801 * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel
2802 * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user
2803 * & group is just as nasty as acquiring a reference to the user keyring. */
2804
2805 saved_uid = getuid();
2806 saved_gid = getgid();
2807
2808 if (gid_is_valid(gid) && gid != saved_gid) {
2809 if (setregid(gid, -1) < 0)
2810 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
2811 }
2812
2813 if (uid_is_valid(uid) && uid != saved_uid) {
2814 if (setreuid(uid, -1) < 0) {
2815 r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
2816 goto out;
2817 }
2818 }
2819
74dd6b51
LP		 2820 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2821 if (keyring == -1) {
2822 if (errno == ENOSYS)
8002fb97 2823 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
74dd6b51 2824 else if (IN_SET(errno, EACCES, EPERM))
8002fb97 2825 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 2826 else if (errno == EDQUOT)
8002fb97 2827 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 2828 else
e64c2d0b 2829 r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51 2830
e64c2d0b 2831 goto out;
74dd6b51
LP		 2832 }
2833
e64c2d0b
DJL		 2834 /* When requested link the user keyring into the session keyring. */
2835 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
2836
2837 if (keyctl(KEYCTL_LINK,
2838 KEY_SPEC_USER_KEYRING,
2839 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
2840 r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
2841 goto out;
2842 }
2843 }
2844
2845 /* Restore uid/gid back */
2846 if (uid_is_valid(uid) && uid != saved_uid) {
2847 if (setreuid(saved_uid, -1) < 0) {
2848 r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
2849 goto out;
2850 }
2851 }
2852
2853 if (gid_is_valid(gid) && gid != saved_gid) {
2854 if (setregid(saved_gid, -1) < 0)
2855 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
2856 }
2857
2858 /* Populate they keyring with the invocation ID by default, as original saved_uid. */
b3415f5d
LP		 2859 if (!sd_id128_is_null(u->invocation_id)) {
2860 key_serial_t key;
2861
2862 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2863 if (key == -1)
8002fb97 2864 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 2865 else {
2866 if (keyctl(KEYCTL_SETPERM, key,
2867 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2868 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
e64c2d0b 2869 r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 2870 }
2871 }
2872
e64c2d0b 2873out:
37b22b3b 2874 /* Revert back uid & gid for the last time, and exit */
e64c2d0b
DJL		 2875 /* no extra logging, as only the first already reported error matters */
2876 if (getuid() != saved_uid)
2877 (void) setreuid(saved_uid, -1);
b1edf445 2878
e64c2d0b
DJL		 2879 if (getgid() != saved_gid)
2880 (void) setregid(saved_gid, -1);
b1edf445 2881
e64c2d0b 2882 return r;
74dd6b51
LP		 2883}
2884
3042bbeb 2885static void append_socket_pair(int *array, size_t *n, const int pair[static 2]) {
29206d46
LP		 2886 assert(array);
2887 assert(n);
2caa38e9 2888 assert(pair);
29206d46
LP		 2889
2890 if (pair[0] >= 0)
2891 array[(*n)++] = pair[0];
2892 if (pair[1] >= 0)
2893 array[(*n)++] = pair[1];
2894}
2895
a34ceba6
LP		 2896static int close_remaining_fds(
2897 const ExecParameters *params,
34cf6c43
YW		 2898 const ExecRuntime *runtime,
2899 const DynamicCreds *dcreds,
00d9ef85 2900 int user_lookup_fd,
a34ceba6 2901 int socket_fd,
5686391b 2902 int exec_fd,
5b8d1f6b 2903 const int *fds, size_t n_fds) {
a34ceba6 2904
da6053d0 2905 size_t n_dont_close = 0;
00d9ef85 2906 int dont_close[n_fds + 12];
a34ceba6
LP		 2907
2908 assert(params);
2909
2910 if (params->stdin_fd >= 0)
2911 dont_close[n_dont_close++] = params->stdin_fd;
2912 if (params->stdout_fd >= 0)
2913 dont_close[n_dont_close++] = params->stdout_fd;
2914 if (params->stderr_fd >= 0)
2915 dont_close[n_dont_close++] = params->stderr_fd;
2916
2917 if (socket_fd >= 0)
2918 dont_close[n_dont_close++] = socket_fd;
5686391b
LP		 2919 if (exec_fd >= 0)
2920 dont_close[n_dont_close++] = exec_fd;
a34ceba6
LP		 2921 if (n_fds > 0) {
2922 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2923 n_dont_close += n_fds;
2924 }
2925
29206d46
LP		 2926 if (runtime)
2927 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2928
2929 if (dcreds) {
2930 if (dcreds->user)
2931 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2932 if (dcreds->group)
2933 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2934 }
2935
00d9ef85
LP		 2936 if (user_lookup_fd >= 0)
2937 dont_close[n_dont_close++] = user_lookup_fd;
2938
a34ceba6
LP		 2939 return close_all_fds(dont_close, n_dont_close);
2940}
2941
00d9ef85
LP		 2942static int send_user_lookup(
2943 Unit *unit,
2944 int user_lookup_fd,
2945 uid_t uid,
2946 gid_t gid) {
2947
2948 assert(unit);
2949
2950 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2951 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2952 * specified. */
2953
2954 if (user_lookup_fd < 0)
2955 return 0;
2956
2957 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2958 return 0;
2959
2960 if (writev(user_lookup_fd,
2961 (struct iovec[]) {
e6a7ec4b
LP		 2962 IOVEC_INIT(&uid, sizeof(uid)),
2963 IOVEC_INIT(&gid, sizeof(gid)),
2964 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 2965 return -errno;
2966
2967 return 0;
2968}
2969
6732edab
LP		 2970static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2971 int r;
2972
2973 assert(c);
2974 assert(home);
2975 assert(buf);
2976
2977 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2978
2979 if (*home)
2980 return 0;
2981
2982 if (!c->working_directory_home)
2983 return 0;
2984
6732edab
LP		 2985 r = get_home_dir(buf);
2986 if (r < 0)
2987 return r;
2988
2989 *home = *buf;
2990 return 1;
2991}
2992
da50b85a
LP		 2993static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
2994 _cleanup_strv_free_ char ** list = NULL;
2995 ExecDirectoryType t;
2996 int r;
2997
2998 assert(c);
2999 assert(p);
3000 assert(ret);
3001
3002 assert(c->dynamic_user);
3003
3004 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
3005 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
3006 * directories. */
3007
3008 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
3009 char **i;
3010
3011 if (t == EXEC_DIRECTORY_CONFIGURATION)
3012 continue;
3013
3014 if (!p->prefix[t])
3015 continue;
3016
3017 STRV_FOREACH(i, c->directories[t].paths) {
3018 char *e;
3019
494d0247 3020 if (exec_directory_is_private(c, t))
657ee2d8 3021 e = path_join(p->prefix[t], "private", *i);
494d0247
YW		 3022 else
3023 e = path_join(p->prefix[t], *i);
da50b85a
LP		 3024 if (!e)
3025 return -ENOMEM;
3026
3027 r = strv_consume(&list, e);
3028 if (r < 0)
3029 return r;
3030 }
3031 }
3032
ae2a15bc 3033 *ret = TAKE_PTR(list);
da50b85a
LP		 3034
3035 return 0;
3036}
3037
34cf6c43
YW		 3038static char *exec_command_line(char **argv);
3039
78f93209
LP		 3040static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) {
3041 bool using_subcgroup;
3042 char *p;
3043
3044 assert(params);
3045 assert(ret);
3046
3047 if (!params->cgroup_path)
3048 return -EINVAL;
3049
3050 /* If we are called for a unit where cgroup delegation is on, and the payload created its own populated
3051 * subcgroup (which we expect it to do, after all it asked for delegation), then we cannot place the control
3052 * processes started after the main unit's process in the unit's main cgroup because it is now an inner one,
3053 * and inner cgroups may not contain processes. Hence, if delegation is on, and this is a control process,
3054 * let's use ".control" as subcgroup instead. Note that we do so only for ExecStartPost=, ExecReload=,
3055 * ExecStop=, ExecStopPost=, i.e. for the commands where the main process is already forked. For ExecStartPre=
3056 * this is not necessary, the cgroup is still empty. We distinguish these cases with the EXEC_CONTROL_CGROUP
3057 * flag, which is only passed for the former statements, not for the latter. */
3058
3059 using_subcgroup = FLAGS_SET(params->flags, EXEC_CONTROL_CGROUP|EXEC_CGROUP_DELEGATE|EXEC_IS_CONTROL);
3060 if (using_subcgroup)
657ee2d8 3061 p = path_join(params->cgroup_path, ".control");
78f93209
LP		 3062 else
3063 p = strdup(params->cgroup_path);
3064 if (!p)
3065 return -ENOMEM;
3066
3067 *ret = p;
3068 return using_subcgroup;
3069}
3070
e2b2fb7f
MS		 3071static int exec_context_cpu_affinity_from_numa(const ExecContext *c, CPUSet *ret) {
3072 _cleanup_(cpu_set_reset) CPUSet s = {};
3073 int r;
3074
3075 assert(c);
3076 assert(ret);
3077
3078 if (!c->numa_policy.nodes.set) {
3079 log_debug("Can't derive CPU affinity mask from NUMA mask because NUMA mask is not set, ignoring");
3080 return 0;
3081 }
3082
3083 r = numa_to_cpu_set(&c->numa_policy, &s);
3084 if (r < 0)
3085 return r;
3086
3087 cpu_set_reset(ret);
3088
3089 return cpu_set_add_all(ret, &s);
3090}
3091
3092bool exec_context_get_cpu_affinity_from_numa(const ExecContext *c) {
3093 assert(c);
3094
3095 return c->cpu_affinity_from_numa;
3096}
3097
ff0af2a1 3098static int exec_child(
f2341e0a 3099 Unit *unit,
34cf6c43 3100 const ExecCommand *command,
ff0af2a1
LP		 3101 const ExecContext *context,
3102 const ExecParameters *params,
3103 ExecRuntime *runtime,
29206d46 3104 DynamicCreds *dcreds,
ff0af2a1 3105 int socket_fd,
2caa38e9 3106 const int named_iofds[static 3],
4c47affc 3107 int *fds,
da6053d0 3108 size_t n_socket_fds,
25b583d7 3109 size_t n_storage_fds,
ff0af2a1 3110 char **files_env,
00d9ef85 3111 int user_lookup_fd,
12145637 3112 int *exit_status) {
d35fbf6b 3113
7ca69792 3114 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
5686391b 3115 int *fds_with_exec_fd, n_fds_with_exec_fd, r, ngids = 0, exec_fd = -1;
4d885bd3
DH		 3116 _cleanup_free_ gid_t *supplementary_gids = NULL;
3117 const char *username = NULL, *groupname = NULL;
5686391b 3118 _cleanup_free_ char *home_buffer = NULL;
2b3c1b9e 3119 const char *home = NULL, *shell = NULL;
7ca69792 3120 char **final_argv = NULL;
7bce046b
LP		 3121 dev_t journal_stream_dev = 0;
3122 ino_t journal_stream_ino = 0;
5749f855 3123 bool userns_set_up = false;
165a31c0
LP		 3124 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
3125 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
3126 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
3127 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 3128#if HAVE_SELINUX
7f59dd35 3129 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 3130 bool use_selinux = false;
ecfbc84f 3131#endif
f9fa32f0 3132#if ENABLE_SMACK
43b1f709 3133 bool use_smack = false;
ecfbc84f 3134#endif
349cc4a5 3135#if HAVE_APPARMOR
43b1f709 3136 bool use_apparmor = false;
ecfbc84f 3137#endif
5749f855
AZ		 3138 uid_t saved_uid = getuid();
3139 gid_t saved_gid = getgid();
fed1e721
LP		 3140 uid_t uid = UID_INVALID;
3141 gid_t gid = GID_INVALID;
da6053d0 3142 size_t n_fds;
3536f49e 3143 ExecDirectoryType dt;
165a31c0 3144 int secure_bits;
afb11bf1
DG		 3145 _cleanup_free_ gid_t *gids_after_pam = NULL;
3146 int ngids_after_pam = 0;
034c6ed7 3147
f2341e0a 3148 assert(unit);
5cb5a6ff
LP		 3149 assert(command);
3150 assert(context);
d35fbf6b 3151 assert(params);
ff0af2a1 3152 assert(exit_status);
d35fbf6b
DM		 3153
3154 rename_process_from_path(command->path);
3155
3156 /* We reset exactly these signals, since they are the
3157 * only ones we set to SIG_IGN in the main daemon. All
3158 * others we leave untouched because we set them to
3159 * SIG_DFL or a valid handler initially, both of which
3160 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 3161 (void) default_signals(SIGNALS_CRASH_HANDLER,
3162 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 3163
3164 if (context->ignore_sigpipe)
ce30c8dc 3165 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 3166
ff0af2a1
LP		 3167 r = reset_signal_mask();
3168 if (r < 0) {
3169 *exit_status = EXIT_SIGNAL_MASK;
12145637 3170 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 3171 }
034c6ed7 3172
d35fbf6b
DM		 3173 if (params->idle_pipe)
3174 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 3175
2c027c62
LP		 3176 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
3177 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
3178 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
3179 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 3180
d35fbf6b 3181 log_forget_fds();
2c027c62 3182 log_set_open_when_needed(true);
4f2d528d 3183
40a80078
LP		 3184 /* In case anything used libc syslog(), close this here, too */
3185 closelog();
3186
5686391b
LP		 3187 n_fds = n_socket_fds + n_storage_fds;
3188 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, params->exec_fd, fds, n_fds);
ff0af2a1
LP		 3189 if (r < 0) {
3190 *exit_status = EXIT_FDS;
12145637 3191 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 3192 }
3193
d35fbf6b
DM		 3194 if (!context->same_pgrp)
3195 if (setsid() < 0) {
ff0af2a1 3196 *exit_status = EXIT_SETSID;
12145637 3197 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
d35fbf6b 3198 }
9e2f7c11 3199
1e22b5cd 3200 exec_context_tty_reset(context, params);
d35fbf6b 3201
c891efaf 3202 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 3203 const char *vc = params->confirm_spawn;
3b20f877
FB		 3204 _cleanup_free_ char *cmdline = NULL;
3205
ee39ca20 3206 cmdline = exec_command_line(command->argv);
3b20f877 3207 if (!cmdline) {
0460aa5c 3208 *exit_status = EXIT_MEMORY;
12145637 3209 return log_oom();
3b20f877 3210 }
d35fbf6b 3211
eedf223a 3212 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 3213 if (r != CONFIRM_EXECUTE) {
3214 if (r == CONFIRM_PRETEND_SUCCESS) {
3215 *exit_status = EXIT_SUCCESS;
3216 return 0;
3217 }
ff0af2a1 3218 *exit_status = EXIT_CONFIRM;
12145637 3219 log_unit_error(unit, "Execution cancelled by the user");
d35fbf6b 3220 return -ECANCELED;
d35fbf6b
DM		 3221 }
3222 }
1a63a750 3223
d521916d
LP		 3224 /* We are about to invoke NSS and PAM modules. Let's tell them what we are doing here, maybe they care. This is
3225 * used by nss-resolve to disable itself when we are about to start systemd-resolved, to avoid deadlocks. Note
3226 * that these env vars do not survive the execve(), which means they really only apply to the PAM and NSS
3227 * invocations themselves. Also note that while we'll only invoke NSS modules involved in user management they
3228 * might internally call into other NSS modules that are involved in hostname resolution, we never know. */
3229 if (setenv("SYSTEMD_ACTIVATION_UNIT", unit->id, true) != 0 ||
3230 setenv("SYSTEMD_ACTIVATION_SCOPE", MANAGER_IS_SYSTEM(unit->manager) ? "system" : "user", true) != 0) {
3231 *exit_status = EXIT_MEMORY;
3232 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
3233 }
3234
29206d46 3235 if (context->dynamic_user && dcreds) {
da50b85a 3236 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 3237
d521916d
LP		 3238 /* On top of that, make sure we bypass our own NSS module nss-systemd comprehensively for any NSS
3239 * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here.*/
409093fe
LP		 3240 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
3241 *exit_status = EXIT_USER;
12145637 3242 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 3243 }
3244
da50b85a
LP		 3245 r = compile_suggested_paths(context, params, &suggested_paths);
3246 if (r < 0) {
3247 *exit_status = EXIT_MEMORY;
3248 return log_oom();
3249 }
3250
3251 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 3252 if (r < 0) {
3253 *exit_status = EXIT_USER;
e2b0cc34
YW		 3254 if (r == -EILSEQ) {
3255 log_unit_error(unit, "Failed to update dynamic user credentials: User or group with specified name already exists.");
3256 return -EOPNOTSUPP;
3257 }
12145637 3258 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 3259 }
524daa8c 3260
70dd455c 3261 if (!uid_is_valid(uid)) {
29206d46 3262 *exit_status = EXIT_USER;
12145637 3263 log_unit_error(unit, "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 3264 return -ESRCH;
3265 }
3266
3267 if (!gid_is_valid(gid)) {
3268 *exit_status = EXIT_USER;
12145637 3269 log_unit_error(unit, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 3270 return -ESRCH;
3271 }
5bc7452b 3272
29206d46
LP		 3273 if (dcreds->user)
3274 username = dcreds->user->name;
3275
3276 } else {
4d885bd3
DH		 3277 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
3278 if (r < 0) {
3279 *exit_status = EXIT_USER;
12145637 3280 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 3281 }
5bc7452b 3282
4d885bd3
DH		 3283 r = get_fixed_group(context, &groupname, &gid);
3284 if (r < 0) {
3285 *exit_status = EXIT_GROUP;
12145637 3286 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 3287 }
cdc5d5c5 3288 }
29206d46 3289
cdc5d5c5
DH		 3290 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
3291 r = get_supplementary_groups(context, username, groupname, gid,
3292 &supplementary_gids, &ngids);
3293 if (r < 0) {
3294 *exit_status = EXIT_GROUP;
12145637 3295 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 3296 }
5bc7452b 3297
00d9ef85
LP		 3298 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
3299 if (r < 0) {
3300 *exit_status = EXIT_USER;
12145637 3301 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 3302 }
3303
3304 user_lookup_fd = safe_close(user_lookup_fd);
3305
6732edab
LP		 3306 r = acquire_home(context, uid, &home, &home_buffer);
3307 if (r < 0) {
3308 *exit_status = EXIT_CHDIR;
12145637 3309 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 3310 }
3311
d35fbf6b
DM		 3312 /* If a socket is connected to STDIN/STDOUT/STDERR, we
3313 * must sure to drop O_NONBLOCK */
3314 if (socket_fd >= 0)
a34ceba6 3315 (void) fd_nonblock(socket_fd, false);
acbb0225 3316
4c70a4a7
MS		 3317 /* Journald will try to look-up our cgroup in order to populate _SYSTEMD_CGROUP and _SYSTEMD_UNIT fields.
3318 * Hence we need to migrate to the target cgroup from init.scope before connecting to journald */
3319 if (params->cgroup_path) {
3320 _cleanup_free_ char *p = NULL;
3321
3322 r = exec_parameters_get_cgroup_path(params, &p);
3323 if (r < 0) {
3324 *exit_status = EXIT_CGROUP;
3325 return log_unit_error_errno(unit, r, "Failed to acquire cgroup path: %m");
3326 }
3327
3328 r = cg_attach_everywhere(params->cgroup_supported, p, 0, NULL, NULL);
3329 if (r < 0) {
3330 *exit_status = EXIT_CGROUP;
3331 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", p);
3332 }
3333 }
3334
a8d08f39
LP		 3335 if (context->network_namespace_path && runtime && runtime->netns_storage_socket[0] >= 0) {
3336 r = open_netns_path(runtime->netns_storage_socket, context->network_namespace_path);
3337 if (r < 0) {
3338 *exit_status = EXIT_NETWORK;
3339 return log_unit_error_errno(unit, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
3340 }
3341 }
3342
52c239d7 3343 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 3344 if (r < 0) {
3345 *exit_status = EXIT_STDIN;
12145637 3346 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 3347 }
034c6ed7 3348
52c239d7 3349 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3350 if (r < 0) {
3351 *exit_status = EXIT_STDOUT;
12145637 3352 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 3353 }
3354
52c239d7 3355 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3356 if (r < 0) {
3357 *exit_status = EXIT_STDERR;
12145637 3358 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 3359 }
3360
d35fbf6b 3361 if (context->oom_score_adjust_set) {
9f8168eb
LP		 3362 /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces
3363 * prohibit write access to this file, and we shouldn't trip up over that. */
3364 r = set_oom_score_adjust(context->oom_score_adjust);
12145637 3365 if (IN_SET(r, -EPERM, -EACCES))
f2341e0a 3366 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 3367 else if (r < 0) {
ff0af2a1 3368 *exit_status = EXIT_OOM_ADJUST;
12145637 3369 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 3370 }
d35fbf6b
DM		 3371 }
3372
ad21e542
ZJS		 3373 if (context->coredump_filter_set) {
3374 r = set_coredump_filter(context->coredump_filter);
3375 if (ERRNO_IS_PRIVILEGE(r))
3376 log_unit_debug_errno(unit, r, "Failed to adjust coredump_filter, ignoring: %m");
3377 else if (r < 0)
3378 return log_unit_error_errno(unit, r, "Failed to adjust coredump_filter: %m");
3379 }
3380
39090201
DJL		 3381 if (context->nice_set) {
3382 r = setpriority_closest(context->nice);
3383 if (r < 0)
3384 return log_unit_error_errno(unit, r, "Failed to set up process scheduling priority (nice level): %m");
3385 }
613b411c 3386
d35fbf6b
DM		 3387 if (context->cpu_sched_set) {
3388 struct sched_param param = {
3389 .sched_priority = context->cpu_sched_priority,
3390 };
3391
ff0af2a1
LP		 3392 r = sched_setscheduler(0,
3393 context->cpu_sched_policy |
3394 (context->cpu_sched_reset_on_fork ?
3395 SCHED_RESET_ON_FORK : 0),
3396 &param);
3397 if (r < 0) {
3398 *exit_status = EXIT_SETSCHEDULER;
12145637 3399 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 3400 }
d35fbf6b 3401 }
fc9b2a84 3402
e2b2fb7f
MS		 3403 if (context->cpu_affinity_from_numa || context->cpu_set.set) {
3404 _cleanup_(cpu_set_reset) CPUSet converted_cpu_set = {};
3405 const CPUSet *cpu_set;
3406
3407 if (context->cpu_affinity_from_numa) {
3408 r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set);
3409 if (r < 0) {
3410 *exit_status = EXIT_CPUAFFINITY;
3411 return log_unit_error_errno(unit, r, "Failed to derive CPU affinity mask from NUMA mask: %m");
3412 }
3413
3414 cpu_set = &converted_cpu_set;
3415 } else
3416 cpu_set = &context->cpu_set;
3417
3418 if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) {
ff0af2a1 3419 *exit_status = EXIT_CPUAFFINITY;
12145637 3420 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7 3421 }
e2b2fb7f 3422 }
034c6ed7 3423
b070c7c0
MS		 3424 if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
3425 r = apply_numa_policy(&context->numa_policy);
3426 if (r == -EOPNOTSUPP)
33fe9e3f 3427 log_unit_debug_errno(unit, r, "NUMA support not available, ignoring.");
b070c7c0
MS		 3428 else if (r < 0) {
3429 *exit_status = EXIT_NUMA_POLICY;
3430 return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m");
3431 }
3432 }
3433
d35fbf6b
DM		 3434 if (context->ioprio_set)
3435 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 3436 *exit_status = EXIT_IOPRIO;
12145637 3437 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 3438 }
da726a4d 3439
d35fbf6b
DM		 3440 if (context->timer_slack_nsec != NSEC_INFINITY)
3441 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 3442 *exit_status = EXIT_TIMERSLACK;
12145637 3443 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 3444 }
9eba9da4 3445
21022b9d
LP		 3446 if (context->personality != PERSONALITY_INVALID) {
3447 r = safe_personality(context->personality);
3448 if (r < 0) {
ff0af2a1 3449 *exit_status = EXIT_PERSONALITY;
12145637 3450 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 3451 }
21022b9d 3452 }
94f04347 3453
d35fbf6b 3454 if (context->utmp_id)
df0ff127 3455 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 3456 context->tty_path,
023a4f67
LP		 3457 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
3458 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
3459 USER_PROCESS,
6a93917d 3460 username);
d35fbf6b 3461
08f67696 3462 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3463 r = chown_terminal(STDIN_FILENO, uid);
3464 if (r < 0) {
3465 *exit_status = EXIT_STDIN;
12145637 3466 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 3467 }
d35fbf6b 3468 }
8e274523 3469
4e1dfa45 3470 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroup v1
62b9bb26 3471 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
4e1dfa45 3472 * safe. On cgroup v2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
62b9bb26 3473 * touch a single hierarchy too. */
584b8688 3474 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 3475 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 3476 if (r < 0) {
3477 *exit_status = EXIT_CGROUP;
12145637 3478 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 3479 }
d35fbf6b 3480 }
034c6ed7 3481
72fd1768 3482 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 3483 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 3484 if (r < 0)
3485 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 3486 }
94f04347 3487
7bce046b 3488 r = build_environment(
fd63e712 3489 unit,
7bce046b
LP		 3490 context,
3491 params,
3492 n_fds,
3493 home,
3494 username,
3495 shell,
3496 journal_stream_dev,
3497 journal_stream_ino,
3498 &our_env);
2065ca69
JW		 3499 if (r < 0) {
3500 *exit_status = EXIT_MEMORY;
12145637 3501 return log_oom();
2065ca69
JW		 3502 }
3503
3504 r = build_pass_environment(context, &pass_env);
3505 if (r < 0) {
3506 *exit_status = EXIT_MEMORY;
12145637 3507 return log_oom();
2065ca69
JW		 3508 }
3509
3510 accum_env = strv_env_merge(5,
3511 params->environment,
3512 our_env,
3513 pass_env,
3514 context->environment,
44e5d006 3515 files_env);
2065ca69
JW		 3516 if (!accum_env) {
3517 *exit_status = EXIT_MEMORY;
12145637 3518 return log_oom();
2065ca69 3519 }
1280503b 3520 accum_env = strv_env_clean(accum_env);
2065ca69 3521
096424d1 3522 (void) umask(context->umask);
b213e1c1 3523
b1edf445 3524 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 3525 if (r < 0) {
3526 *exit_status = EXIT_KEYRING;
12145637 3527 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 3528 }
3529
165a31c0 3530 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 3531 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 3532
165a31c0
LP		 3533 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
3534 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 3535
165a31c0
LP		 3536 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
3537 if (needs_ambient_hack)
3538 needs_setuid = false;
3539 else
3540 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
3541
3542 if (needs_sandboxing) {
7f18ef0a
FK		 3543 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
3544 * present. The actual MAC context application will happen later, as late as possible, to avoid
3545 * impacting our own code paths. */
3546
349cc4a5 3547#if HAVE_SELINUX
43b1f709 3548 use_selinux = mac_selinux_use();
7f18ef0a 3549#endif
f9fa32f0 3550#if ENABLE_SMACK
43b1f709 3551 use_smack = mac_smack_use();
7f18ef0a 3552#endif
349cc4a5 3553#if HAVE_APPARMOR
43b1f709 3554 use_apparmor = mac_apparmor_use();
7f18ef0a 3555#endif
165a31c0 3556 }
7f18ef0a 3557
ce932d2d
LP		 3558 if (needs_sandboxing) {
3559 int which_failed;
3560
3561 /* Let's set the resource limits before we call into PAM, so that pam_limits wins over what
3562 * is set here. (See below.) */
3563
3564 r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
3565 if (r < 0) {
3566 *exit_status = EXIT_LIMITS;
3567 return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
3568 }
3569 }
3570
165a31c0 3571 if (needs_setuid) {
ce932d2d
LP		 3572
3573 /* Let's call into PAM after we set up our own idea of resource limits to that pam_limits
3574 * wins here. (See above.) */
3575
165a31c0
LP		 3576 if (context->pam_name && username) {
3577 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
3578 if (r < 0) {
3579 *exit_status = EXIT_PAM;
12145637 3580 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0 3581 }
afb11bf1
DG		 3582
3583 ngids_after_pam = getgroups_alloc(&gids_after_pam);
3584 if (ngids_after_pam < 0) {
3585 *exit_status = EXIT_MEMORY;
3586 return log_unit_error_errno(unit, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
3587 }
165a31c0 3588 }
b213e1c1 3589 }
ac45f971 3590
5749f855
AZ		 3591 if (needs_sandboxing) {
3592#if HAVE_SELINUX
3593 if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
3594 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
3595 if (r < 0) {
3596 *exit_status = EXIT_SELINUX_CONTEXT;
3597 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
3598 }
3599 }
3600#endif
3601
3602 /* If we're unprivileged, set up the user namespace first to enable use of the other namespaces.
3603 * Users with CAP_SYS_ADMIN can set up user namespaces last because they will be able to
3604 * set up the all of the other namespaces (i.e. network, mount, UTS) without a user namespace. */
3605 if (context->private_users && !have_effective_cap(CAP_SYS_ADMIN)) {
3606 userns_set_up = true;
3607 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3608 if (r < 0) {
3609 *exit_status = EXIT_USER;
3610 return log_unit_error_errno(unit, r, "Failed to set up user namespacing for unprivileged user: %m");
3611 }
3612 }
3613 }
3614
a8d08f39
LP		 3615 if ((context->private_network || context->network_namespace_path) && runtime && runtime->netns_storage_socket[0] >= 0) {
3616
6e2d7c4f
MS		 3617 if (ns_type_supported(NAMESPACE_NET)) {
3618 r = setup_netns(runtime->netns_storage_socket);
ee00d1e9
ZJS		 3619 if (r == -EPERM)
3620 log_unit_warning_errno(unit, r,
3621 "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
3622 else if (r < 0) {
6e2d7c4f
MS		 3623 *exit_status = EXIT_NETWORK;
3624 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
3625 }
a8d08f39
LP		 3626 } else if (context->network_namespace_path) {
3627 *exit_status = EXIT_NETWORK;
ee00d1e9
ZJS		 3628 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP),
3629 "NetworkNamespacePath= is not supported, refusing.");
6e2d7c4f
MS		 3630 } else
3631 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 3632 }
169c1bda 3633
ee818b89 3634 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 3635 if (needs_mount_namespace) {
7cc5ef5f
ZJS		 3636 _cleanup_free_ char *error_path = NULL;
3637
3638 r = apply_mount_namespace(unit, command, context, params, runtime, &error_path);
3fbe8dbe
LP		 3639 if (r < 0) {
3640 *exit_status = EXIT_NAMESPACE;
7cc5ef5f
ZJS		 3641 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
3642 error_path ? ": " : "", strempty(error_path));
3fbe8dbe 3643 }
d35fbf6b 3644 }
81a2b7ce 3645
daf8f72b
LP		 3646 if (needs_sandboxing) {
3647 r = apply_protect_hostname(unit, context, exit_status);
3648 if (r < 0)
3649 return r;
aecd5ac6
TM		 3650 }
3651
5749f855
AZ		 3652 /* Drop groups as early as possible.
3653 * This needs to be done after PrivateDevices=y setup as device nodes should be owned by the host's root.
3654 * For non-root in a userns, devices will be owned by the user/group before the group change, and nobody. */
165a31c0 3655 if (needs_setuid) {
afb11bf1
DG		 3656 _cleanup_free_ gid_t *gids_to_enforce = NULL;
3657 int ngids_to_enforce = 0;
3658
3659 ngids_to_enforce = merge_gid_lists(supplementary_gids,
3660 ngids,
3661 gids_after_pam,
3662 ngids_after_pam,
3663 &gids_to_enforce);
3664 if (ngids_to_enforce < 0) {
3665 *exit_status = EXIT_MEMORY;
3666 return log_unit_error_errno(unit,
3667 ngids_to_enforce,
3668 "Failed to merge group lists. Group membership might be incorrect: %m");
3669 }
3670
3671 r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
096424d1
LP		 3672 if (r < 0) {
3673 *exit_status = EXIT_GROUP;
12145637 3674 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 3675 }
165a31c0 3676 }
096424d1 3677
5749f855
AZ		 3678 /* If the user namespace was not set up above, try to do it now.
3679 * It's preferred to set up the user namespace later (after all other namespaces) so as not to be
3680 * restricted by rules pertaining to combining user namspaces with other namespaces (e.g. in the
3681 * case of mount namespaces being less privileged when the mount point list is copied from a
3682 * different user namespace). */
9008e1ac 3683
5749f855
AZ		 3684 if (needs_sandboxing && context->private_users && !userns_set_up) {
3685 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3686 if (r < 0) {
3687 *exit_status = EXIT_USER;
3688 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
d251207d
LP		 3689 }
3690 }
3691
165a31c0 3692 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
5686391b
LP		 3693 * more aggressive this time since socket_fd and the netns fds we don't need anymore. We do keep the exec_fd
3694 * however if we have it as we want to keep it open until the final execve(). */
3695
3696 if (params->exec_fd >= 0) {
3697 exec_fd = params->exec_fd;
3698
3699 if (exec_fd < 3 + (int) n_fds) {
3700 int moved_fd;
3701
3702 /* Let's move the exec fd far up, so that it's outside of the fd range we want to pass to the
3703 * process we are about to execute. */
3704
3705 moved_fd = fcntl(exec_fd, F_DUPFD_CLOEXEC, 3 + (int) n_fds);
3706 if (moved_fd < 0) {
3707 *exit_status = EXIT_FDS;
3708 return log_unit_error_errno(unit, errno, "Couldn't move exec fd up: %m");
3709 }
3710
3711 safe_close(exec_fd);
3712 exec_fd = moved_fd;
3713 } else {
3714 /* This fd should be FD_CLOEXEC already, but let's make sure. */
3715 r = fd_cloexec(exec_fd, true);
3716 if (r < 0) {
3717 *exit_status = EXIT_FDS;
3718 return log_unit_error_errno(unit, r, "Failed to make exec fd FD_CLOEXEC: %m");
3719 }
3720 }
3721
3722 fds_with_exec_fd = newa(int, n_fds + 1);
7e8d494b 3723 memcpy_safe(fds_with_exec_fd, fds, n_fds * sizeof(int));
5686391b
LP		 3724 fds_with_exec_fd[n_fds] = exec_fd;
3725 n_fds_with_exec_fd = n_fds + 1;
3726 } else {
3727 fds_with_exec_fd = fds;
3728 n_fds_with_exec_fd = n_fds;
3729 }
3730
3731 r = close_all_fds(fds_with_exec_fd, n_fds_with_exec_fd);
ff0af2a1
LP		 3732 if (r >= 0)
3733 r = shift_fds(fds, n_fds);
3734 if (r >= 0)
25b583d7 3735 r = flags_fds(fds, n_socket_fds, n_storage_fds, context->non_blocking);
ff0af2a1
LP		 3736 if (r < 0) {
3737 *exit_status = EXIT_FDS;
12145637 3738 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 3739 }
e66cf1a3 3740
5686391b
LP		 3741 /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
3742 * and at the right fd numbers. The are no other fds open, with one exception: the exec_fd if it is defined,
3743 * and it has O_CLOEXEC set, after all we want it to be closed by the execve(), so that our parent knows we
3744 * came this far. */
3745
165a31c0 3746 secure_bits = context->secure_bits;
e66cf1a3 3747
165a31c0
LP		 3748 if (needs_sandboxing) {
3749 uint64_t bset;
e66cf1a3 3750
ce932d2d
LP		 3751 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly
3752 * requested. (Note this is placed after the general resource limit initialization, see
3753 * above, in order to take precedence.) */
f4170c67
LP		 3754 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
3755 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
3756 *exit_status = EXIT_LIMITS;
12145637 3757 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 3758 }
3759 }
3760
37ac2744
JB		 3761#if ENABLE_SMACK
3762 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
3763 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
3764 if (use_smack) {
3765 r = setup_smack(context, command);
3766 if (r < 0) {
3767 *exit_status = EXIT_SMACK_PROCESS_LABEL;
3768 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
3769 }
3770 }
3771#endif
3772
165a31c0
LP		 3773 bset = context->capability_bounding_set;
3774 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
3775 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
3776 * instead of us doing that */
3777 if (needs_ambient_hack)
3778 bset |= (UINT64_C(1) << CAP_SETPCAP) |
3779 (UINT64_C(1) << CAP_SETUID) |
3780 (UINT64_C(1) << CAP_SETGID);
3781
3782 if (!cap_test_all(bset)) {
3783 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 3784 if (r < 0) {
3785 *exit_status = EXIT_CAPABILITIES;
12145637 3786 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 3787 }
4c2630eb 3788 }
3b8bddde 3789
755d4b67
IP		 3790 /* This is done before enforce_user, but ambient set
3791 * does not survive over setresuid() if keep_caps is not set. */
943800f4 3792 if (!needs_ambient_hack) {
755d4b67
IP		 3793 r = capability_ambient_set_apply(context->capability_ambient_set, true);
3794 if (r < 0) {
3795 *exit_status = EXIT_CAPABILITIES;
12145637 3796 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 3797 }
755d4b67 3798 }
165a31c0 3799 }
755d4b67 3800
fa97f630
JB		 3801 /* chroot to root directory first, before we lose the ability to chroot */
3802 r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
3803 if (r < 0)
3804 return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
3805
165a31c0 3806 if (needs_setuid) {
08f67696 3807 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3808 r = enforce_user(context, uid);
3809 if (r < 0) {
3810 *exit_status = EXIT_USER;
12145637 3811 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 3812 }
165a31c0
LP		 3813
3814 if (!needs_ambient_hack &&
3815 context->capability_ambient_set != 0) {
755d4b67
IP		 3816
3817 /* Fix the ambient capabilities after user change. */
3818 r = capability_ambient_set_apply(context->capability_ambient_set, false);
3819 if (r < 0) {
3820 *exit_status = EXIT_CAPABILITIES;
12145637 3821 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67
IP		 3822 }
3823
3824 /* If we were asked to change user and ambient capabilities
3825 * were requested, we had to add keep-caps to the securebits
3826 * so that we would maintain the inherited capability set
3827 * through the setresuid(). Make sure that the bit is added
3828 * also to the context secure_bits so that we don't try to
3829 * drop the bit away next. */
3830
7f508f2c 3831 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 3832 }
5b6319dc 3833 }
165a31c0 3834 }
d35fbf6b 3835
56ef8db9
JB		 3836 /* Apply working directory here, because the working directory might be on NFS and only the user running
3837 * this service might have the correct privilege to change to the working directory */
fa97f630 3838 r = apply_working_directory(context, params, home, exit_status);
56ef8db9
JB		 3839 if (r < 0)
3840 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
3841
165a31c0 3842 if (needs_sandboxing) {
37ac2744 3843 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 3844 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
3845 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
3846 * are restricted. */
3847
349cc4a5 3848#if HAVE_SELINUX
43b1f709 3849 if (use_selinux) {
5cd9cd35
LP		 3850 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
3851
3852 if (exec_context) {
3853 r = setexeccon(exec_context);
3854 if (r < 0) {
3855 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3856 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 3857 }
3858 }
3859 }
3860#endif
3861
349cc4a5 3862#if HAVE_APPARMOR
43b1f709 3863 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 3864 r = aa_change_onexec(context->apparmor_profile);
3865 if (r < 0 && !context->apparmor_profile_ignore) {
3866 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 3867 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 3868 }
3869 }
3870#endif
3871
165a31c0
LP		 3872 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
3873 * we'll try not to call PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 3874 if (prctl(PR_GET_SECUREBITS) != secure_bits)
3875 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 3876 *exit_status = EXIT_SECUREBITS;
12145637 3877 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 3878 }
5b6319dc 3879
59eeb84b 3880 if (context_has_no_new_privileges(context))
d35fbf6b 3881 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 3882 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 3883 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 3884 }
3885
349cc4a5 3886#if HAVE_SECCOMP
469830d1
LP		 3887 r = apply_address_families(unit, context);
3888 if (r < 0) {
3889 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 3890 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 3891 }
04aa0cb9 3892
469830d1
LP		 3893 r = apply_memory_deny_write_execute(unit, context);
3894 if (r < 0) {
3895 *exit_status = EXIT_SECCOMP;
12145637 3896 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 3897 }
f4170c67 3898
469830d1
LP		 3899 r = apply_restrict_realtime(unit, context);
3900 if (r < 0) {
3901 *exit_status = EXIT_SECCOMP;
12145637 3902 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 3903 }
3904
f69567cb
LP		 3905 r = apply_restrict_suid_sgid(unit, context);
3906 if (r < 0) {
3907 *exit_status = EXIT_SECCOMP;
3908 return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
3909 }
3910
add00535
LP		 3911 r = apply_restrict_namespaces(unit, context);
3912 if (r < 0) {
3913 *exit_status = EXIT_SECCOMP;
12145637 3914 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 3915 }
3916
469830d1
LP		 3917 r = apply_protect_sysctl(unit, context);
3918 if (r < 0) {
3919 *exit_status = EXIT_SECCOMP;
12145637 3920 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 3921 }
3922
469830d1
LP		 3923 r = apply_protect_kernel_modules(unit, context);
3924 if (r < 0) {
3925 *exit_status = EXIT_SECCOMP;
12145637 3926 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 3927 }
3928
84703040
KK		 3929 r = apply_protect_kernel_logs(unit, context);
3930 if (r < 0) {
3931 *exit_status = EXIT_SECCOMP;
3932 return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m");
3933 }
3934
fc64760d
KK		 3935 r = apply_protect_clock(unit, context);
3936 if (r < 0) {
3937 *exit_status = EXIT_SECCOMP;
3938 return log_unit_error_errno(unit, r, "Failed to apply clock restrictions: %m");
3939 }
3940
469830d1
LP		 3941 r = apply_private_devices(unit, context);
3942 if (r < 0) {
3943 *exit_status = EXIT_SECCOMP;
12145637 3944 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 3945 }
3946
3947 r = apply_syscall_archs(unit, context);
3948 if (r < 0) {
3949 *exit_status = EXIT_SECCOMP;
12145637 3950 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 3951 }
3952
78e864e5
TM		 3953 r = apply_lock_personality(unit, context);
3954 if (r < 0) {
3955 *exit_status = EXIT_SECCOMP;
12145637 3956 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 3957 }
3958
5cd9cd35
LP		 3959 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
3960 * by the filter as little as possible. */
165a31c0 3961 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 3962 if (r < 0) {
3963 *exit_status = EXIT_SECCOMP;
12145637 3964 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 3965 }
3966#endif
d35fbf6b 3967 }
034c6ed7 3968
00819cc1
LP		 3969 if (!strv_isempty(context->unset_environment)) {
3970 char **ee = NULL;
3971
3972 ee = strv_env_delete(accum_env, 1, context->unset_environment);
3973 if (!ee) {
3974 *exit_status = EXIT_MEMORY;
12145637 3975 return log_oom();
00819cc1
LP		 3976 }
3977
130d3d22 3978 strv_free_and_replace(accum_env, ee);
00819cc1
LP		 3979 }
3980
7ca69792
AZ		 3981 if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
3982 replaced_argv = replace_env_argv(command->argv, accum_env);
3983 if (!replaced_argv) {
3984 *exit_status = EXIT_MEMORY;
3985 return log_oom();
3986 }
3987 final_argv = replaced_argv;
3988 } else
3989 final_argv = command->argv;
034c6ed7 3990
f1d34068 3991 if (DEBUG_LOGGING) {
d35fbf6b 3992 _cleanup_free_ char *line;
81a2b7ce 3993
d35fbf6b 3994 line = exec_command_line(final_argv);
a1230ff9 3995 if (line)
f2341e0a 3996 log_struct(LOG_DEBUG,
f2341e0a
LP		 3997 "EXECUTABLE=%s", command->path,
3998 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 3999 LOG_UNIT_ID(unit),
a1230ff9 4000 LOG_UNIT_INVOCATION_ID(unit));
d35fbf6b 4001 }
dd305ec9 4002
5686391b
LP		 4003 if (exec_fd >= 0) {
4004 uint8_t hot = 1;
4005
4006 /* We have finished with all our initializations. Let's now let the manager know that. From this point
4007 * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */
4008
4009 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
4010 *exit_status = EXIT_EXEC;
4011 return log_unit_error_errno(unit, errno, "Failed to enable exec_fd: %m");
4012 }
4013 }
4014
2065ca69 4015 execve(command->path, final_argv, accum_env);
5686391b
LP		 4016 r = -errno;
4017
4018 if (exec_fd >= 0) {
4019 uint8_t hot = 0;
4020
4021 /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager
4022 * that POLLHUP on it no longer means execve() succeeded. */
4023
4024 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
4025 *exit_status = EXIT_EXEC;
4026 return log_unit_error_errno(unit, errno, "Failed to disable exec_fd: %m");
4027 }
4028 }
12145637 4029
5686391b
LP		 4030 if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
4031 log_struct_errno(LOG_INFO, r,
12145637
LP		 4032 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4033 LOG_UNIT_ID(unit),
4034 LOG_UNIT_INVOCATION_ID(unit),
4035 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
4036 command->path),
a1230ff9 4037 "EXECUTABLE=%s", command->path);
12145637
LP		 4038 return 0;
4039 }
4040
ff0af2a1 4041 *exit_status = EXIT_EXEC;
5686391b 4042 return log_unit_error_errno(unit, r, "Failed to execute command: %m");
d35fbf6b 4043}
81a2b7ce 4044
34cf6c43 4045static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
2caa38e9 4046static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[static 3]);
34cf6c43 4047
f2341e0a
LP		 4048int exec_spawn(Unit *unit,
4049 ExecCommand *command,
d35fbf6b
DM		 4050 const ExecContext *context,
4051 const ExecParameters *params,
4052 ExecRuntime *runtime,
29206d46 4053 DynamicCreds *dcreds,
d35fbf6b 4054 pid_t *ret) {
8351ceae 4055
ee39ca20 4056 int socket_fd, r, named_iofds[3] = { -1, -1, -1 }, *fds = NULL;
78f93209 4057 _cleanup_free_ char *subcgroup_path = NULL;
d35fbf6b 4058 _cleanup_strv_free_ char **files_env = NULL;
da6053d0 4059 size_t n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1 4060 _cleanup_free_ char *line = NULL;
d35fbf6b 4061 pid_t pid;
8351ceae 4062
f2341e0a 4063 assert(unit);
d35fbf6b
DM		 4064 assert(command);
4065 assert(context);
4066 assert(ret);
4067 assert(params);
25b583d7 4068 assert(params->fds || (params->n_socket_fds + params->n_storage_fds <= 0));
4298d0b5 4069
d35fbf6b
DM		 4070 if (context->std_input == EXEC_INPUT_SOCKET ||
4071 context->std_output == EXEC_OUTPUT_SOCKET ||
4072 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 4073
4c47affc 4074 if (params->n_socket_fds > 1) {
f2341e0a 4075 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 4076 return -EINVAL;
ff0af2a1 4077 }
eef65bf3 4078
4c47affc 4079 if (params->n_socket_fds == 0) {
488ab41c
AA		 4080 log_unit_error(unit, "Got no socket.");
4081 return -EINVAL;
4082 }
4083
d35fbf6b
DM		 4084 socket_fd = params->fds[0];
4085 } else {
4086 socket_fd = -1;
4087 fds = params->fds;
9b141911 4088 n_socket_fds = params->n_socket_fds;
25b583d7 4089 n_storage_fds = params->n_storage_fds;
d35fbf6b 4090 }
94f04347 4091
34cf6c43 4092 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 4093 if (r < 0)
4094 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
4095
f2341e0a 4096 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 4097 if (r < 0)
f2341e0a 4098 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 4099
ee39ca20 4100 line = exec_command_line(command->argv);
d35fbf6b
DM		 4101 if (!line)
4102 return log_oom();
fab56fc5 4103
f2341e0a 4104 log_struct(LOG_DEBUG,
f2341e0a
LP		 4105 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
4106 "EXECUTABLE=%s", command->path,
ba360bb0 4107 LOG_UNIT_ID(unit),
a1230ff9 4108 LOG_UNIT_INVOCATION_ID(unit));
12145637 4109
78f93209
LP		 4110 if (params->cgroup_path) {
4111 r = exec_parameters_get_cgroup_path(params, &subcgroup_path);
4112 if (r < 0)
4113 return log_unit_error_errno(unit, r, "Failed to acquire subcgroup path: %m");
4114 if (r > 0) { /* We are using a child cgroup */
4115 r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
4116 if (r < 0)
4117 return log_unit_error_errno(unit, r, "Failed to create control group '%s': %m", subcgroup_path);
4118 }
4119 }
4120
d35fbf6b
DM		 4121 pid = fork();
4122 if (pid < 0)
74129a12 4123 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 4124
4125 if (pid == 0) {
12145637 4126 int exit_status = EXIT_SUCCESS;
ff0af2a1 4127
f2341e0a
LP		 4128 r = exec_child(unit,
4129 command,
ff0af2a1
LP		 4130 context,
4131 params,
4132 runtime,
29206d46 4133 dcreds,
ff0af2a1 4134 socket_fd,
52c239d7 4135 named_iofds,
4c47affc 4136 fds,
9b141911 4137 n_socket_fds,
25b583d7 4138 n_storage_fds,
ff0af2a1 4139 files_env,
00d9ef85 4140 unit->manager->user_lookup_fds[1],
12145637
LP		 4141 &exit_status);
4142
e1714f02
ZJS		 4143 if (r < 0) {
4144 const char *status =
4145 exit_status_to_string(exit_status,
e04ed6db 4146 EXIT_STATUS_LIBC | EXIT_STATUS_SYSTEMD);
e1714f02 4147
12145637
LP		 4148 log_struct_errno(LOG_ERR, r,
4149 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4150 LOG_UNIT_ID(unit),
4151 LOG_UNIT_INVOCATION_ID(unit),
4152 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
e1714f02 4153 status, command->path),
a1230ff9 4154 "EXECUTABLE=%s", command->path);
e1714f02 4155 }
4c2630eb 4156
ff0af2a1 4157 _exit(exit_status);
034c6ed7
LP		 4158 }
4159
f2341e0a 4160 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 4161
78f93209
LP		 4162 /* We add the new process to the cgroup both in the child (so that we can be sure that no user code is ever
4163 * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
4164 * process will be killed too). */
4165 if (subcgroup_path)
4166 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pid);
2da3263a 4167
b58b4116 4168 exec_status_start(&command->exec_status, pid);
9fb86720 4169
034c6ed7 4170 *ret = pid;
5cb5a6ff
LP		 4171 return 0;
4172}
4173
034c6ed7 4174void exec_context_init(ExecContext *c) {
3536f49e
YW		 4175 ExecDirectoryType i;
4176
034c6ed7
LP		 4177 assert(c);
4178
4c12626c 4179 c->umask = 0022;
9eba9da4 4180 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 4181 c->cpu_sched_policy = SCHED_OTHER;
071830ff 4182 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 4183 c->syslog_level_prefix = true;
353e12c2 4184 c->ignore_sigpipe = true;
3a43da28 4185 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 4186 c->personality = PERSONALITY_INVALID;
72fd1768 4187 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4188 c->directories[i].mode = 0755;
12213aed 4189 c->timeout_clean_usec = USEC_INFINITY;
a103496c 4190 c->capability_bounding_set = CAP_ALL;
aa9d574d
YW		 4191 assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
4192 c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
d3070fbd 4193 c->log_level_max = -1;
b070c7c0 4194 numa_policy_reset(&c->numa_policy);
034c6ed7
LP		 4195}
4196
613b411c 4197void exec_context_done(ExecContext *c) {
3536f49e 4198 ExecDirectoryType i;
d3070fbd 4199 size_t l;
5cb5a6ff
LP		 4200
4201 assert(c);
4202
6796073e
LP		 4203 c->environment = strv_free(c->environment);
4204 c->environment_files = strv_free(c->environment_files);
b4c14404 4205 c->pass_environment = strv_free(c->pass_environment);
00819cc1 4206 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 4207
31ce987c 4208 rlimit_free_all(c->rlimit);
034c6ed7 4209
2038c3f5 4210 for (l = 0; l < 3; l++) {
52c239d7 4211 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 4212 c->stdio_file[l] = mfree(c->stdio_file[l]);
4213 }
52c239d7 4214
a1e58e8e
LP		 4215 c->working_directory = mfree(c->working_directory);
4216 c->root_directory = mfree(c->root_directory);
915e6d16 4217 c->root_image = mfree(c->root_image);
18d73705 4218 c->root_image_options = mount_options_free_all(c->root_image_options);
0389f4fa
LB		 4219 c->root_hash = mfree(c->root_hash);
4220 c->root_hash_size = 0;
4221 c->root_hash_path = mfree(c->root_hash_path);
d4d55b0d
LB		 4222 c->root_hash_sig = mfree(c->root_hash_sig);
4223 c->root_hash_sig_size = 0;
4224 c->root_hash_sig_path = mfree(c->root_hash_sig_path);
0389f4fa 4225 c->root_verity = mfree(c->root_verity);
a1e58e8e
LP		 4226 c->tty_path = mfree(c->tty_path);
4227 c->syslog_identifier = mfree(c->syslog_identifier);
4228 c->user = mfree(c->user);
4229 c->group = mfree(c->group);
034c6ed7 4230
6796073e 4231 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 4232
a1e58e8e 4233 c->pam_name = mfree(c->pam_name);
5b6319dc 4234
2a624c36
AP		 4235 c->read_only_paths = strv_free(c->read_only_paths);
4236 c->read_write_paths = strv_free(c->read_write_paths);
4237 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 4238
d2d6c096 4239 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
8e06d57c
YW		 4240 c->bind_mounts = NULL;
4241 c->n_bind_mounts = 0;
2abd4e38
YW		 4242 temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
4243 c->temporary_filesystems = NULL;
4244 c->n_temporary_filesystems = 0;
b3d13314 4245 c->mount_images = mount_image_free_many(c->mount_images, &c->n_mount_images);
d2d6c096 4246
0985c7c4 4247 cpu_set_reset(&c->cpu_set);
b070c7c0 4248 numa_policy_reset(&c->numa_policy);
86a3475b 4249
a1e58e8e
LP		 4250 c->utmp_id = mfree(c->utmp_id);
4251 c->selinux_context = mfree(c->selinux_context);
4252 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 4253 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 4254
8cfa775f 4255 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 4256 c->syscall_archs = set_free(c->syscall_archs);
4257 c->address_families = set_free(c->address_families);
e66cf1a3 4258
72fd1768 4259 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4260 c->directories[i].paths = strv_free(c->directories[i].paths);
d3070fbd
LP		 4261
4262 c->log_level_max = -1;
4263
4264 exec_context_free_log_extra_fields(c);
08f3be7a 4265
5ac1530e
ZJS		 4266 c->log_ratelimit_interval_usec = 0;
4267 c->log_ratelimit_burst = 0;
90fc172e 4268
08f3be7a
LP		 4269 c->stdin_data = mfree(c->stdin_data);
4270 c->stdin_data_size = 0;
a8d08f39
LP		 4271
4272 c->network_namespace_path = mfree(c->network_namespace_path);
91dd5f7c
LP		 4273
4274 c->log_namespace = mfree(c->log_namespace);
e66cf1a3
LP		 4275}
4276
34cf6c43 4277int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 4278 char **i;
4279
4280 assert(c);
4281
4282 if (!runtime_prefix)
4283 return 0;
4284
3536f49e 4285 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 4286 _cleanup_free_ char *p;
4287
494d0247
YW		 4288 if (exec_directory_is_private(c, EXEC_DIRECTORY_RUNTIME))
4289 p = path_join(runtime_prefix, "private", *i);
4290 else
4291 p = path_join(runtime_prefix, *i);
e66cf1a3
LP		 4292 if (!p)
4293 return -ENOMEM;
4294
7bc4bf4a
LP		 4295 /* We execute this synchronously, since we need to be sure this is gone when we start the
4296 * service next. */
c6878637 4297 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 4298 }
4299
4300 return 0;
5cb5a6ff
LP		 4301}
4302
34cf6c43 4303static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 4304 assert(c);
4305
a1e58e8e 4306 c->path = mfree(c->path);
6796073e 4307 c->argv = strv_free(c->argv);
43d0fcbd
LP		 4308}
4309
da6053d0
LP		 4310void exec_command_done_array(ExecCommand *c, size_t n) {
4311 size_t i;
43d0fcbd
LP		 4312
4313 for (i = 0; i < n; i++)
4314 exec_command_done(c+i);
4315}
4316
f1acf85a 4317ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 4318 ExecCommand *i;
4319
4320 while ((i = c)) {
71fda00f 4321 LIST_REMOVE(command, c, i);
43d0fcbd 4322 exec_command_done(i);
5cb5a6ff
LP		 4323 free(i);
4324 }
f1acf85a
ZJS		 4325
4326 return NULL;
5cb5a6ff
LP		 4327}
4328
da6053d0
LP		 4329void exec_command_free_array(ExecCommand **c, size_t n) {
4330 size_t i;
034c6ed7 4331
f1acf85a
ZJS		 4332 for (i = 0; i < n; i++)
4333 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 4334}
4335
6a1d4d9f
LP		 4336void exec_command_reset_status_array(ExecCommand *c, size_t n) {
4337 size_t i;
4338
4339 for (i = 0; i < n; i++)
4340 exec_status_reset(&c[i].exec_status);
4341}
4342
4343void exec_command_reset_status_list_array(ExecCommand **c, size_t n) {
4344 size_t i;
4345
4346 for (i = 0; i < n; i++) {
4347 ExecCommand *z;
4348
4349 LIST_FOREACH(command, z, c[i])
4350 exec_status_reset(&z->exec_status);
4351 }
4352}
4353
039f0e70 4354typedef struct InvalidEnvInfo {
34cf6c43 4355 const Unit *unit;
039f0e70
LP		 4356 const char *path;
4357} InvalidEnvInfo;
4358
4359static void invalid_env(const char *p, void *userdata) {
4360 InvalidEnvInfo *info = userdata;
4361
f2341e0a 4362 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 4363}
4364
52c239d7
LB		 4365const char* exec_context_fdname(const ExecContext *c, int fd_index) {
4366 assert(c);
4367
4368 switch (fd_index) {
5073ff6b 4369
52c239d7
LB		 4370 case STDIN_FILENO:
4371 if (c->std_input != EXEC_INPUT_NAMED_FD)
4372 return NULL;
5073ff6b 4373
52c239d7 4374 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 4375
52c239d7
LB		 4376 case STDOUT_FILENO:
4377 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
4378 return NULL;
5073ff6b 4379
52c239d7 4380 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 4381
52c239d7
LB		 4382 case STDERR_FILENO:
4383 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
4384 return NULL;
5073ff6b 4385
52c239d7 4386 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 4387
52c239d7
LB		 4388 default:
4389 return NULL;
4390 }
4391}
4392
2caa38e9
LP		 4393static int exec_context_named_iofds(
4394 const ExecContext *c,
4395 const ExecParameters *p,
4396 int named_iofds[static 3]) {
4397
da6053d0 4398 size_t i, targets;
56fbd561 4399 const char* stdio_fdname[3];
da6053d0 4400 size_t n_fds;
52c239d7
LB		 4401
4402 assert(c);
4403 assert(p);
2caa38e9 4404 assert(named_iofds);
52c239d7
LB		 4405
4406 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
4407 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
4408 (c->std_error == EXEC_OUTPUT_NAMED_FD);
4409
4410 for (i = 0; i < 3; i++)
4411 stdio_fdname[i] = exec_context_fdname(c, i);
4412
4c47affc
FB		 4413 n_fds = p->n_storage_fds + p->n_socket_fds;
4414
4415 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 4416 if (named_iofds[STDIN_FILENO] < 0 &&
4417 c->std_input == EXEC_INPUT_NAMED_FD &&
4418 stdio_fdname[STDIN_FILENO] &&
4419 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
4420
52c239d7
LB		 4421 named_iofds[STDIN_FILENO] = p->fds[i];
4422 targets--;
56fbd561
ZJS		 4423
4424 } else if (named_iofds[STDOUT_FILENO] < 0 &&
4425 c->std_output == EXEC_OUTPUT_NAMED_FD &&
4426 stdio_fdname[STDOUT_FILENO] &&
4427 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
4428
52c239d7
LB		 4429 named_iofds[STDOUT_FILENO] = p->fds[i];
4430 targets--;
56fbd561
ZJS		 4431
4432 } else if (named_iofds[STDERR_FILENO] < 0 &&
4433 c->std_error == EXEC_OUTPUT_NAMED_FD &&
4434 stdio_fdname[STDERR_FILENO] &&
4435 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
4436
52c239d7
LB		 4437 named_iofds[STDERR_FILENO] = p->fds[i];
4438 targets--;
4439 }
4440
56fbd561 4441 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 4442}
4443
34cf6c43 4444static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 4445 char **i, **r = NULL;
4446
4447 assert(c);
4448 assert(l);
4449
4450 STRV_FOREACH(i, c->environment_files) {
4451 char *fn;
52511fae
ZJS		 4452 int k;
4453 unsigned n;
8c7be95e
LP		 4454 bool ignore = false;
4455 char **p;
7fd1b19b 4456 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 4457
4458 fn = *i;
4459
4460 if (fn[0] == '-') {
4461 ignore = true;
313cefa1 4462 fn++;
8c7be95e
LP		 4463 }
4464
4465 if (!path_is_absolute(fn)) {
8c7be95e
LP		 4466 if (ignore)
4467 continue;
4468
4469 strv_free(r);
4470 return -EINVAL;
4471 }
4472
2bef10ab 4473 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 4474 k = safe_glob(fn, 0, &pglob);
4475 if (k < 0) {
2bef10ab
PL		 4476 if (ignore)
4477 continue;
8c7be95e 4478
2bef10ab 4479 strv_free(r);
d8c92e8b 4480 return k;
2bef10ab 4481 }
8c7be95e 4482
d8c92e8b
ZJS		 4483 /* When we don't match anything, -ENOENT should be returned */
4484 assert(pglob.gl_pathc > 0);
4485
4486 for (n = 0; n < pglob.gl_pathc; n++) {
aa8fbc74 4487 k = load_env_file(NULL, pglob.gl_pathv[n], &p);
2bef10ab
PL		 4488 if (k < 0) {
4489 if (ignore)
4490 continue;
8c7be95e 4491
2bef10ab 4492 strv_free(r);
2bef10ab 4493 return k;
e9c1ea9d 4494 }
ebc05a09 4495 /* Log invalid environment variables with filename */
039f0e70
LP		 4496 if (p) {
4497 InvalidEnvInfo info = {
f2341e0a 4498 .unit = unit,
039f0e70
LP		 4499 .path = pglob.gl_pathv[n]
4500 };
4501
4502 p = strv_env_clean_with_callback(p, invalid_env, &info);
4503 }
8c7be95e 4504
234519ae 4505 if (!r)
2bef10ab
PL		 4506 r = p;
4507 else {
4508 char **m;
8c7be95e 4509
2bef10ab
PL		 4510 m = strv_env_merge(2, r, p);
4511 strv_free(r);
4512 strv_free(p);
c84a9488 4513 if (!m)
2bef10ab 4514 return -ENOMEM;
2bef10ab
PL		 4515
4516 r = m;
4517 }
8c7be95e
LP		 4518 }
4519 }
4520
4521 *l = r;
4522
4523 return 0;
4524}
4525
6ac8fdc9 4526static bool tty_may_match_dev_console(const char *tty) {
7b912648 4527 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 4528
1e22b5cd
LP		 4529 if (!tty)
4530 return true;
4531
a119ec7c 4532 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 4533
4534 /* trivial identity? */
4535 if (streq(tty, "console"))
4536 return true;
4537
7b912648
LP		 4538 if (resolve_dev_console(&resolved) < 0)
4539 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 4540
4541 /* "tty0" means the active VC, so it may be the same sometimes */
955f1c85 4542 return path_equal(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 4543}
4544
6c0ae739
LP		 4545static bool exec_context_may_touch_tty(const ExecContext *ec) {
4546 assert(ec);
1e22b5cd 4547
6c0ae739 4548 return ec->tty_reset ||
1e22b5cd
LP		 4549 ec->tty_vhangup ||
4550 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 4551 is_terminal_input(ec->std_input) ||
4552 is_terminal_output(ec->std_output) ||
6c0ae739
LP		 4553 is_terminal_output(ec->std_error);
4554}
4555
4556bool exec_context_may_touch_console(const ExecContext *ec) {
4557
4558 return exec_context_may_touch_tty(ec) &&
1e22b5cd 4559 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 4560}
4561
15ae422b
LP		 4562static void strv_fprintf(FILE *f, char **l) {
4563 char **g;
4564
4565 assert(f);
4566
4567 STRV_FOREACH(g, l)
4568 fprintf(f, " %s", *g);
4569}
4570
34cf6c43 4571void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
12213aed 4572 char **e, **d, buf_clean[FORMAT_TIMESPAN_MAX];
d3070fbd 4573 ExecDirectoryType dt;
94f04347 4574 unsigned i;
add00535 4575 int r;
9eba9da4 4576
5cb5a6ff
LP		 4577 assert(c);
4578 assert(f);
4579
4ad49000 4580 prefix = strempty(prefix);
5cb5a6ff
LP		 4581
4582 fprintf(f,
94f04347
LP		 4583 "%sUMask: %04o\n"
4584 "%sWorkingDirectory: %s\n"
451a074f 4585 "%sRootDirectory: %s\n"
15ae422b 4586 "%sNonBlocking: %s\n"
64747e2d 4587 "%sPrivateTmp: %s\n"
7f112f50 4588 "%sPrivateDevices: %s\n"
59eeb84b 4589 "%sProtectKernelTunables: %s\n"
e66a2f65 4590 "%sProtectKernelModules: %s\n"
84703040 4591 "%sProtectKernelLogs: %s\n"
fc64760d 4592 "%sProtectClock: %s\n"
59eeb84b 4593 "%sProtectControlGroups: %s\n"
d251207d
LP		 4594 "%sPrivateNetwork: %s\n"
4595 "%sPrivateUsers: %s\n"
1b8689f9
LP		 4596 "%sProtectHome: %s\n"
4597 "%sProtectSystem: %s\n"
5d997827 4598 "%sMountAPIVFS: %s\n"
f3e43635 4599 "%sIgnoreSIGPIPE: %s\n"
f4170c67 4600 "%sMemoryDenyWriteExecute: %s\n"
b1edf445 4601 "%sRestrictRealtime: %s\n"
f69567cb 4602 "%sRestrictSUIDSGID: %s\n"
aecd5ac6
TM		 4603 "%sKeyringMode: %s\n"
4604 "%sProtectHostname: %s\n",
5cb5a6ff 4605 prefix, c->umask,
9eba9da4 4606 prefix, c->working_directory ? c->working_directory : "/",
451a074f 4607 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 4608 prefix, yes_no(c->non_blocking),
64747e2d 4609 prefix, yes_no(c->private_tmp),
7f112f50 4610 prefix, yes_no(c->private_devices),
59eeb84b 4611 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 4612 prefix, yes_no(c->protect_kernel_modules),
84703040 4613 prefix, yes_no(c->protect_kernel_logs),
fc64760d 4614 prefix, yes_no(c->protect_clock),
59eeb84b 4615 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 4616 prefix, yes_no(c->private_network),
4617 prefix, yes_no(c->private_users),
1b8689f9
LP		 4618 prefix, protect_home_to_string(c->protect_home),
4619 prefix, protect_system_to_string(c->protect_system),
5d997827 4620 prefix, yes_no(c->mount_apivfs),
f3e43635 4621 prefix, yes_no(c->ignore_sigpipe),
f4170c67 4622 prefix, yes_no(c->memory_deny_write_execute),
b1edf445 4623 prefix, yes_no(c->restrict_realtime),
f69567cb 4624 prefix, yes_no(c->restrict_suid_sgid),
aecd5ac6
TM		 4625 prefix, exec_keyring_mode_to_string(c->keyring_mode),
4626 prefix, yes_no(c->protect_hostname));
fb33a393 4627
915e6d16
LP		 4628 if (c->root_image)
4629 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
4630
18d73705
LB		 4631 if (c->root_image_options) {
4632 MountOptions *o;
4633
4634 fprintf(f, "%sRootImageOptions:", prefix);
4635 LIST_FOREACH(mount_options, o, c->root_image_options)
4636 if (!isempty(o->options))
9ece6444
LB		 4637 fprintf(f, " %s:%s",
4638 partition_designator_to_string(o->partition_designator),
4639 o->options);
18d73705
LB		 4640 fprintf(f, "\n");
4641 }
4642
0389f4fa
LB		 4643 if (c->root_hash) {
4644 _cleanup_free_ char *encoded = NULL;
4645 encoded = hexmem(c->root_hash, c->root_hash_size);
4646 if (encoded)
4647 fprintf(f, "%sRootHash: %s\n", prefix, encoded);
4648 }
4649
4650 if (c->root_hash_path)
4651 fprintf(f, "%sRootHash: %s\n", prefix, c->root_hash_path);
4652
d4d55b0d
LB		 4653 if (c->root_hash_sig) {
4654 _cleanup_free_ char *encoded = NULL;
4655 ssize_t len;
4656 len = base64mem(c->root_hash_sig, c->root_hash_sig_size, &encoded);
4657 if (len)
4658 fprintf(f, "%sRootHashSignature: base64:%s\n", prefix, encoded);
4659 }
4660
4661 if (c->root_hash_sig_path)
4662 fprintf(f, "%sRootHashSignature: %s\n", prefix, c->root_hash_sig_path);
4663
0389f4fa
LB		 4664 if (c->root_verity)
4665 fprintf(f, "%sRootVerity: %s\n", prefix, c->root_verity);
4666
8c7be95e
LP		 4667 STRV_FOREACH(e, c->environment)
4668 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
4669
4670 STRV_FOREACH(e, c->environment_files)
4671 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 4672
b4c14404
FB		 4673 STRV_FOREACH(e, c->pass_environment)
4674 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
4675
00819cc1
LP		 4676 STRV_FOREACH(e, c->unset_environment)
4677 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
4678
53f47dfc
YW		 4679 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
4680
72fd1768 4681 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 4682 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
4683
4684 STRV_FOREACH(d, c->directories[dt].paths)
4685 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
4686 }
c2bbd90b 4687
12213aed
YW		 4688 fprintf(f,
4689 "%sTimeoutCleanSec: %s\n",
4690 prefix, format_timespan(buf_clean, sizeof(buf_clean), c->timeout_clean_usec, USEC_PER_SEC));
4691
fb33a393
LP		 4692 if (c->nice_set)
4693 fprintf(f,
4694 "%sNice: %i\n",
4695 prefix, c->nice);
4696
dd6c17b1 4697 if (c->oom_score_adjust_set)
fb33a393 4698 fprintf(f,
dd6c17b1
LP		 4699 "%sOOMScoreAdjust: %i\n",
4700 prefix, c->oom_score_adjust);
9eba9da4 4701
ad21e542
ZJS		 4702 if (c->coredump_filter_set)
4703 fprintf(f,
4704 "%sCoredumpFilter: 0x%"PRIx64"\n",
4705 prefix, c->coredump_filter);
4706
94f04347 4707 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d 4708 if (c->rlimit[i]) {
4c3a2b84 4709 fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
3c11da9d 4710 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
4c3a2b84 4711 fprintf(f, "%sLimit%sSoft: " RLIM_FMT "\n",
3c11da9d
EV		 4712 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
4713 }
94f04347 4714
f8b69d1d 4715 if (c->ioprio_set) {
1756a011 4716 _cleanup_free_ char *class_str = NULL;
f8b69d1d 4717
837df140
YW		 4718 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
4719 if (r >= 0)
4720 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
4721
4722 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 4723 }
94f04347 4724
f8b69d1d 4725 if (c->cpu_sched_set) {
1756a011 4726 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 4727
837df140
YW		 4728 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
4729 if (r >= 0)
4730 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
4731
94f04347 4732 fprintf(f,
38b48754
LP		 4733 "%sCPUSchedulingPriority: %i\n"
4734 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 4735 prefix, c->cpu_sched_priority,
4736 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 4737 }
94f04347 4738
0985c7c4 4739 if (c->cpu_set.set) {
e7fca352
MS		 4740 _cleanup_free_ char *affinity = NULL;
4741
4742 affinity = cpu_set_to_range_string(&c->cpu_set);
4743 fprintf(f, "%sCPUAffinity: %s\n", prefix, affinity);
94f04347
LP		 4744 }
4745
b070c7c0
MS		 4746 if (mpol_is_valid(numa_policy_get_type(&c->numa_policy))) {
4747 _cleanup_free_ char *nodes = NULL;
4748
4749 nodes = cpu_set_to_range_string(&c->numa_policy.nodes);
4750 fprintf(f, "%sNUMAPolicy: %s\n", prefix, mpol_to_string(numa_policy_get_type(&c->numa_policy)));
4751 fprintf(f, "%sNUMAMask: %s\n", prefix, strnull(nodes));
4752 }
4753
3a43da28 4754 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 4755 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 4756
4757 fprintf(f,
80876c20
LP		 4758 "%sStandardInput: %s\n"
4759 "%sStandardOutput: %s\n"
4760 "%sStandardError: %s\n",
4761 prefix, exec_input_to_string(c->std_input),
4762 prefix, exec_output_to_string(c->std_output),
4763 prefix, exec_output_to_string(c->std_error));
4764
befc4a80
LP		 4765 if (c->std_input == EXEC_INPUT_NAMED_FD)
4766 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
4767 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
4768 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
4769 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
4770 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
4771
4772 if (c->std_input == EXEC_INPUT_FILE)
4773 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
4774 if (c->std_output == EXEC_OUTPUT_FILE)
4775 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
566b7d23
ZD		 4776 if (c->std_output == EXEC_OUTPUT_FILE_APPEND)
4777 fprintf(f, "%sStandardOutputFileToAppend: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
befc4a80
LP		 4778 if (c->std_error == EXEC_OUTPUT_FILE)
4779 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
566b7d23
ZD		 4780 if (c->std_error == EXEC_OUTPUT_FILE_APPEND)
4781 fprintf(f, "%sStandardErrorFileToAppend: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
befc4a80 4782
80876c20
LP		 4783 if (c->tty_path)
4784 fprintf(f,
6ea832a2
LP		 4785 "%sTTYPath: %s\n"
4786 "%sTTYReset: %s\n"
4787 "%sTTYVHangup: %s\n"
4788 "%sTTYVTDisallocate: %s\n",
4789 prefix, c->tty_path,
4790 prefix, yes_no(c->tty_reset),
4791 prefix, yes_no(c->tty_vhangup),
4792 prefix, yes_no(c->tty_vt_disallocate));
94f04347 4793
9f6444eb 4794 if (IN_SET(c->std_output,
9f6444eb
LP		 4795 EXEC_OUTPUT_KMSG,
4796 EXEC_OUTPUT_JOURNAL,
9f6444eb
LP		 4797 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4798 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
4799 IN_SET(c->std_error,
9f6444eb
LP		 4800 EXEC_OUTPUT_KMSG,
4801 EXEC_OUTPUT_JOURNAL,
9f6444eb
LP		 4802 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4803 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 4804
5ce70e5b 4805 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 4806
837df140
YW		 4807 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
4808 if (r >= 0)
4809 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 4810
837df140
YW		 4811 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
4812 if (r >= 0)
4813 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 4814 }
94f04347 4815
d3070fbd
LP		 4816 if (c->log_level_max >= 0) {
4817 _cleanup_free_ char *t = NULL;
4818
4819 (void) log_level_to_string_alloc(c->log_level_max, &t);
4820
4821 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
4822 }
4823
5ac1530e 4824 if (c->log_ratelimit_interval_usec > 0) {
90fc172e
AZ		 4825 char buf_timespan[FORMAT_TIMESPAN_MAX];
4826
4827 fprintf(f,
4828 "%sLogRateLimitIntervalSec: %s\n",
5ac1530e 4829 prefix, format_timespan(buf_timespan, sizeof(buf_timespan), c->log_ratelimit_interval_usec, USEC_PER_SEC));
90fc172e
AZ		 4830 }
4831
5ac1530e
ZJS		 4832 if (c->log_ratelimit_burst > 0)
4833 fprintf(f, "%sLogRateLimitBurst: %u\n", prefix, c->log_ratelimit_burst);
90fc172e 4834
d3070fbd
LP		 4835 if (c->n_log_extra_fields > 0) {
4836 size_t j;
4837
4838 for (j = 0; j < c->n_log_extra_fields; j++) {
4839 fprintf(f, "%sLogExtraFields: ", prefix);
4840 fwrite(c->log_extra_fields[j].iov_base,
4841 1, c->log_extra_fields[j].iov_len,
4842 f);
4843 fputc('\n', f);
4844 }
4845 }
4846
91dd5f7c
LP		 4847 if (c->log_namespace)
4848 fprintf(f, "%sLogNamespace: %s\n", prefix, c->log_namespace);
4849
07d46372
YW		 4850 if (c->secure_bits) {
4851 _cleanup_free_ char *str = NULL;
4852
4853 r = secure_bits_to_string_alloc(c->secure_bits, &str);
4854 if (r >= 0)
4855 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
4856 }
94f04347 4857
a103496c 4858 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 4859 _cleanup_free_ char *str = NULL;
94f04347 4860
dd1f5bd0
YW		 4861 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
4862 if (r >= 0)
4863 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 4864 }
4865
4866 if (c->capability_ambient_set != 0) {
dd1f5bd0 4867 _cleanup_free_ char *str = NULL;
755d4b67 4868
dd1f5bd0
YW		 4869 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
4870 if (r >= 0)
4871 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 4872 }
4873
4874 if (c->user)
f2d3769a 4875 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 4876 if (c->group)
f2d3769a 4877 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 4878
29206d46
LP		 4879 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
4880
ac6e8be6 4881 if (!strv_isempty(c->supplementary_groups)) {
94f04347 4882 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 4883 strv_fprintf(f, c->supplementary_groups);
4884 fputs("\n", f);
4885 }
94f04347 4886
5b6319dc 4887 if (c->pam_name)
f2d3769a 4888 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 4889
58629001 4890 if (!strv_isempty(c->read_write_paths)) {
2a624c36
AP		 4891 fprintf(f, "%sReadWritePaths:", prefix);
4892 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 4893 fputs("\n", f);
4894 }
4895
58629001 4896 if (!strv_isempty(c->read_only_paths)) {
2a624c36
AP		 4897 fprintf(f, "%sReadOnlyPaths:", prefix);
4898 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 4899 fputs("\n", f);
4900 }
94f04347 4901
58629001 4902 if (!strv_isempty(c->inaccessible_paths)) {
2a624c36
AP		 4903 fprintf(f, "%sInaccessiblePaths:", prefix);
4904 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 4905 fputs("\n", f);
4906 }
2e22afe9 4907
d2d6c096 4908 if (c->n_bind_mounts > 0)
4ca763a9
YW		 4909 for (i = 0; i < c->n_bind_mounts; i++)
4910 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
d2d6c096 4911 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
4ca763a9 4912 c->bind_mounts[i].ignore_enoent ? "-": "",
d2d6c096
LP		 4913 c->bind_mounts[i].source,
4914 c->bind_mounts[i].destination,
4915 c->bind_mounts[i].recursive ? "rbind" : "norbind");
d2d6c096 4916
2abd4e38
YW		 4917 if (c->n_temporary_filesystems > 0)
4918 for (i = 0; i < c->n_temporary_filesystems; i++) {
4919 TemporaryFileSystem *t = c->temporary_filesystems + i;
4920
4921 fprintf(f, "%sTemporaryFileSystem: %s%s%s\n", prefix,
4922 t->path,
4923 isempty(t->options) ? "" : ":",
4924 strempty(t->options));
4925 }
4926
169c1bda
LP		 4927 if (c->utmp_id)
4928 fprintf(f,
4929 "%sUtmpIdentifier: %s\n",
4930 prefix, c->utmp_id);
7b52a628
MS		 4931
4932 if (c->selinux_context)
4933 fprintf(f,
5f8640fb
LP		 4934 "%sSELinuxContext: %s%s\n",
4935 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 4936
80c21aea
WC		 4937 if (c->apparmor_profile)
4938 fprintf(f,
4939 "%sAppArmorProfile: %s%s\n",
4940 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
4941
4942 if (c->smack_process_label)
4943 fprintf(f,
4944 "%sSmackProcessLabel: %s%s\n",
4945 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
4946
050f7277 4947 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 4948 fprintf(f,
4949 "%sPersonality: %s\n",
4950 prefix, strna(personality_to_string(c->personality)));
4951
78e864e5
TM		 4952 fprintf(f,
4953 "%sLockPersonality: %s\n",
4954 prefix, yes_no(c->lock_personality));
4955
17df7223 4956 if (c->syscall_filter) {
349cc4a5 4957#if HAVE_SECCOMP
17df7223 4958 Iterator j;
8cfa775f 4959 void *id, *val;
17df7223 4960 bool first = true;
351a19b1 4961#endif
17df7223
LP		 4962
4963 fprintf(f,
57183d11 4964 "%sSystemCallFilter: ",
17df7223
LP		 4965 prefix);
4966
6b000af4 4967 if (!c->syscall_allow_list)
17df7223
LP		 4968 fputc('~', f);
4969
349cc4a5 4970#if HAVE_SECCOMP
8cfa775f 4971 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter, j) {
17df7223 4972 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 4973 const char *errno_name = NULL;
4974 int num = PTR_TO_INT(val);
17df7223
LP		 4975
4976 if (first)
4977 first = false;
4978 else
4979 fputc(' ', f);
4980
57183d11 4981 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 4982 fputs(strna(name), f);
8cfa775f
YW		 4983
4984 if (num >= 0) {
4985 errno_name = errno_to_name(num);
4986 if (errno_name)
4987 fprintf(f, ":%s", errno_name);
4988 else
4989 fprintf(f, ":%d", num);
4990 }
17df7223 4991 }
351a19b1 4992#endif
17df7223
LP		 4993
4994 fputc('\n', f);
4995 }
4996
57183d11 4997 if (c->syscall_archs) {
349cc4a5 4998#if HAVE_SECCOMP
57183d11
LP		 4999 Iterator j;
5000 void *id;
5001#endif
5002
5003 fprintf(f,
5004 "%sSystemCallArchitectures:",
5005 prefix);
5006
349cc4a5 5007#if HAVE_SECCOMP
57183d11
LP		 5008 SET_FOREACH(id, c->syscall_archs, j)
5009 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
5010#endif
5011 fputc('\n', f);
5012 }
5013
add00535
LP		 5014 if (exec_context_restrict_namespaces_set(c)) {
5015 _cleanup_free_ char *s = NULL;
5016
86c2a9f1 5017 r = namespace_flags_to_string(c->restrict_namespaces, &s);
add00535
LP		 5018 if (r >= 0)
5019 fprintf(f, "%sRestrictNamespaces: %s\n",
dd0395b5 5020 prefix, strna(s));
add00535
LP		 5021 }
5022
a8d08f39
LP		 5023 if (c->network_namespace_path)
5024 fprintf(f,
5025 "%sNetworkNamespacePath: %s\n",
5026 prefix, c->network_namespace_path);
5027
3df90f24
YW		 5028 if (c->syscall_errno > 0) {
5029 const char *errno_name;
5030
5031 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
5032
5033 errno_name = errno_to_name(c->syscall_errno);
5034 if (errno_name)
5035 fprintf(f, "%s\n", errno_name);
5036 else
5037 fprintf(f, "%d\n", c->syscall_errno);
5038 }
b3d13314 5039
427353f6
LB		 5040 for (i = 0; i < c->n_mount_images; i++) {
5041 MountOptions *o;
5042
5043 fprintf(f, "%sMountImages: %s%s:%s%s", prefix,
b3d13314
LB		 5044 c->mount_images[i].ignore_enoent ? "-": "",
5045 c->mount_images[i].source,
427353f6
LB		 5046 c->mount_images[i].destination,
5047 LIST_IS_EMPTY(c->mount_images[i].mount_options) ? "": ":");
5048 LIST_FOREACH(mount_options, o, c->mount_images[i].mount_options)
5049 fprintf(f, "%s:%s",
5050 partition_designator_to_string(o->partition_designator),
5051 o->options);
5052 fprintf(f, "\n");
5053 }
5cb5a6ff
LP		 5054}
5055
34cf6c43 5056bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 5057 assert(c);
5058
61233823 5059 /* Returns true if the process forked off would run under
a931ad47
LP		 5060 * an unchanged UID or as root. */
5061
5062 if (!c->user)
5063 return true;
5064
5065 if (streq(c->user, "root") || streq(c->user, "0"))
5066 return true;
5067
5068 return false;
5069}
5070
34cf6c43 5071int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 5072 int p;
5073
5074 assert(c);
5075
5076 if (c->ioprio_set)
5077 return c->ioprio;
5078
5079 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
5080 if (p < 0)
5081 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
5082
5083 return p;
5084}
5085
d3070fbd
LP		 5086void exec_context_free_log_extra_fields(ExecContext *c) {
5087 size_t l;
5088
5089 assert(c);
5090
5091 for (l = 0; l < c->n_log_extra_fields; l++)
5092 free(c->log_extra_fields[l].iov_base);
5093 c->log_extra_fields = mfree(c->log_extra_fields);
5094 c->n_log_extra_fields = 0;
5095}
5096
6f765baf
LP		 5097void exec_context_revert_tty(ExecContext *c) {
5098 int r;
5099
5100 assert(c);
5101
5102 /* First, reset the TTY (possibly kicking everybody else from the TTY) */
5103 exec_context_tty_reset(c, NULL);
5104
5105 /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path
5106 * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed
5107 * by whoever passed it to us and thus knows better when and how to chmod()/chown() it back. */
5108
5109 if (exec_context_may_touch_tty(c)) {
5110 const char *path;
5111
5112 path = exec_context_tty_path(c);
5113 if (path) {
5114 r = chmod_and_chown(path, TTY_MODE, 0, TTY_GID);
5115 if (r < 0 && r != -ENOENT)
5116 log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path);
5117 }
5118 }
5119}
5120
4c2f5842
LP		 5121int exec_context_get_clean_directories(
5122 ExecContext *c,
5123 char **prefix,
5124 ExecCleanMask mask,
5125 char ***ret) {
5126
5127 _cleanup_strv_free_ char **l = NULL;
5128 ExecDirectoryType t;
5129 int r;
5130
5131 assert(c);
5132 assert(prefix);
5133 assert(ret);
5134
5135 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
5136 char **i;
5137
5138 if (!FLAGS_SET(mask, 1U << t))
5139 continue;
5140
5141 if (!prefix[t])
5142 continue;
5143
5144 STRV_FOREACH(i, c->directories[t].paths) {
5145 char *j;
5146
5147 j = path_join(prefix[t], *i);
5148 if (!j)
5149 return -ENOMEM;
5150
5151 r = strv_consume(&l, j);
5152 if (r < 0)
5153 return r;
7f622a19
YW		 5154
5155 /* Also remove private directories unconditionally. */
5156 if (t != EXEC_DIRECTORY_CONFIGURATION) {
5157 j = path_join(prefix[t], "private", *i);
5158 if (!j)
5159 return -ENOMEM;
5160
5161 r = strv_consume(&l, j);
5162 if (r < 0)
5163 return r;
5164 }
4c2f5842
LP		 5165 }
5166 }
5167
5168 *ret = TAKE_PTR(l);
5169 return 0;
5170}
5171
5172int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
5173 ExecCleanMask mask = 0;
5174
5175 assert(c);
5176 assert(ret);
5177
5178 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
5179 if (!strv_isempty(c->directories[t].paths))
5180 mask |= 1U << t;
5181
5182 *ret = mask;
5183 return 0;
5184}
5185
b58b4116 5186void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 5187 assert(s);
5cb5a6ff 5188
2ed26ed0
LP		 5189 *s = (ExecStatus) {
5190 .pid = pid,
5191 };
5192
b58b4116
LP		 5193 dual_timestamp_get(&s->start_timestamp);
5194}
5195
34cf6c43 5196void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 5197 assert(s);
5198
2ed26ed0
LP		 5199 if (s->pid != pid) {
5200 *s = (ExecStatus) {
5201 .pid = pid,
5202 };
5203 }
b58b4116 5204
63983207 5205 dual_timestamp_get(&s->exit_timestamp);
9fb86720 5206
034c6ed7
LP		 5207 s->code = code;
5208 s->status = status;
169c1bda 5209
6f765baf
LP		 5210 if (context && context->utmp_id)
5211 (void) utmp_put_dead_process(context->utmp_id, pid, code, status);
9fb86720
LP		 5212}
5213
6a1d4d9f
LP		 5214void exec_status_reset(ExecStatus *s) {
5215 assert(s);
5216
5217 *s = (ExecStatus) {};
5218}
5219
34cf6c43 5220void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 5221 char buf[FORMAT_TIMESTAMP_MAX];
5222
5223 assert(s);
5224 assert(f);
5225
9fb86720
LP		 5226 if (s->pid <= 0)
5227 return;
5228
4c940960
LP		 5229 prefix = strempty(prefix);
5230
9fb86720 5231 fprintf(f,
ccd06097
ZJS		 5232 "%sPID: "PID_FMT"\n",
5233 prefix, s->pid);
9fb86720 5234
af9d16e1 5235 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 5236 fprintf(f,
5237 "%sStart Timestamp: %s\n",
63983207 5238 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 5239
af9d16e1 5240 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 5241 fprintf(f,
5242 "%sExit Timestamp: %s\n"
5243 "%sExit Code: %s\n"
5244 "%sExit Status: %i\n",
63983207 5245 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 5246 prefix, sigchld_code_to_string(s->code),
5247 prefix, s->status);
5cb5a6ff 5248}
44d8db9e 5249
34cf6c43 5250static char *exec_command_line(char **argv) {
44d8db9e
LP		 5251 size_t k;
5252 char *n, *p, **a;
5253 bool first = true;
5254
9e2f7c11 5255 assert(argv);
44d8db9e 5256
9164977d 5257 k = 1;
9e2f7c11 5258 STRV_FOREACH(a, argv)
44d8db9e
LP		 5259 k += strlen(*a)+3;
5260
5cd9cd35
LP		 5261 n = new(char, k);
5262 if (!n)
44d8db9e
LP		 5263 return NULL;
5264
5265 p = n;
9e2f7c11 5266 STRV_FOREACH(a, argv) {
44d8db9e
LP		 5267
5268 if (!first)
5269 *(p++) = ' ';
5270 else
5271 first = false;
5272
5273 if (strpbrk(*a, WHITESPACE)) {
5274 *(p++) = '\'';
5275 p = stpcpy(p, *a);
5276 *(p++) = '\'';
5277 } else
5278 p = stpcpy(p, *a);
5279
5280 }
5281
9164977d
LP		 5282 *p = 0;
5283
44d8db9e
LP		 5284 /* FIXME: this doesn't really handle arguments that have
5285 * spaces and ticks in them */
5286
5287 return n;
5288}
5289
34cf6c43 5290static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 5291 _cleanup_free_ char *cmd = NULL;
4c940960 5292 const char *prefix2;
44d8db9e
LP		 5293
5294 assert(c);
5295 assert(f);
5296
4c940960 5297 prefix = strempty(prefix);
63c372cb 5298 prefix2 = strjoina(prefix, "\t");
44d8db9e 5299
9e2f7c11 5300 cmd = exec_command_line(c->argv);
44d8db9e
LP		 5301 fprintf(f,
5302 "%sCommand Line: %s\n",
4bbccb02 5303 prefix, cmd ? cmd : strerror_safe(ENOMEM));
44d8db9e 5304
9fb86720 5305 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 5306}
5307
5308void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
5309 assert(f);
5310
4c940960 5311 prefix = strempty(prefix);
44d8db9e
LP		 5312
5313 LIST_FOREACH(command, c, c)
5314 exec_command_dump(c, f, prefix);
5315}
94f04347 5316
a6a80b4f
LP		 5317void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
5318 ExecCommand *end;
5319
5320 assert(l);
5321 assert(e);
5322
5323 if (*l) {
35b8ca3a 5324 /* It's kind of important, that we keep the order here */
71fda00f
LP		 5325 LIST_FIND_TAIL(command, *l, end);
5326 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 5327 } else
5328 *l = e;
5329}
5330
26fd040d
LP		 5331int exec_command_set(ExecCommand *c, const char *path, ...) {
5332 va_list ap;
5333 char **l, *p;
5334
5335 assert(c);
5336 assert(path);
5337
5338 va_start(ap, path);
5339 l = strv_new_ap(path, ap);
5340 va_end(ap);
5341
5342 if (!l)
5343 return -ENOMEM;
5344
250a918d
LP		 5345 p = strdup(path);
5346 if (!p) {
26fd040d
LP		 5347 strv_free(l);
5348 return -ENOMEM;
5349 }
5350
6897dfe8 5351 free_and_replace(c->path, p);
26fd040d 5352
130d3d22 5353 return strv_free_and_replace(c->argv, l);
26fd040d
LP		 5354}
5355
86b23b07 5356int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 5357 _cleanup_strv_free_ char **l = NULL;
86b23b07 5358 va_list ap;
86b23b07
JS		 5359 int r;
5360
5361 assert(c);
5362 assert(path);
5363
5364 va_start(ap, path);
5365 l = strv_new_ap(path, ap);
5366 va_end(ap);
5367
5368 if (!l)
5369 return -ENOMEM;
5370
e287086b 5371 r = strv_extend_strv(&c->argv, l, false);
e63ff941 5372 if (r < 0)
86b23b07 5373 return r;
86b23b07
JS		 5374
5375 return 0;
5376}
5377
e8a565cb
YW		 5378static void *remove_tmpdir_thread(void *p) {
5379 _cleanup_free_ char *path = p;
86b23b07 5380
e8a565cb
YW		 5381 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
5382 return NULL;
5383}
5384
5385static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
5386 int r;
5387
5388 if (!rt)
5389 return NULL;
5390
5391 if (rt->manager)
5392 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
5393
5394 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
56a13a49
ZJS		 5395
5396 if (destroy && rt->tmp_dir && !streq(rt->tmp_dir, RUN_SYSTEMD_EMPTY)) {
e8a565cb
YW		 5397 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
5398
5399 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
56a13a49 5400 if (r < 0)
e8a565cb 5401 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
56a13a49
ZJS		 5402 else
5403 rt->tmp_dir = NULL;
e8a565cb 5404 }
613b411c 5405
56a13a49 5406 if (destroy && rt->var_tmp_dir && !streq(rt->var_tmp_dir, RUN_SYSTEMD_EMPTY)) {
e8a565cb
YW		 5407 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
5408
5409 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
56a13a49 5410 if (r < 0)
e8a565cb 5411 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
56a13a49
ZJS		 5412 else
5413 rt->var_tmp_dir = NULL;
e8a565cb
YW		 5414 }
5415
5416 rt->id = mfree(rt->id);
5417 rt->tmp_dir = mfree(rt->tmp_dir);
5418 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
5419 safe_close_pair(rt->netns_storage_socket);
5420 return mfree(rt);
5421}
5422
5423static void exec_runtime_freep(ExecRuntime **rt) {
da6bc6ed 5424 (void) exec_runtime_free(*rt, false);
e8a565cb
YW		 5425}
5426
56a13a49
ZJS		 5427static int exec_runtime_allocate(ExecRuntime **ret, const char *id) {
5428 _cleanup_free_ char *id_copy = NULL;
8e8009dc 5429 ExecRuntime *n;
613b411c 5430
8e8009dc 5431 assert(ret);
613b411c 5432
56a13a49
ZJS		 5433 id_copy = strdup(id);
5434 if (!id_copy)
5435 return -ENOMEM;
5436
8e8009dc
LP		 5437 n = new(ExecRuntime, 1);
5438 if (!n)
613b411c
LP		 5439 return -ENOMEM;
5440
8e8009dc 5441 *n = (ExecRuntime) {
56a13a49 5442 .id = TAKE_PTR(id_copy),
8e8009dc
LP		 5443 .netns_storage_socket = { -1, -1 },
5444 };
5445
5446 *ret = n;
613b411c
LP		 5447 return 0;
5448}
5449
e8a565cb
YW		 5450static int exec_runtime_add(
5451 Manager *m,
5452 const char *id,
56a13a49
ZJS		 5453 char **tmp_dir,
5454 char **var_tmp_dir,
5455 int netns_storage_socket[2],
e8a565cb
YW		 5456 ExecRuntime **ret) {
5457
5458 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 5459 int r;
5460
e8a565cb 5461 assert(m);
613b411c
LP		 5462 assert(id);
5463
56a13a49
ZJS		 5464 /* tmp_dir, var_tmp_dir, netns_storage_socket fds are donated on success */
5465
e8a565cb
YW		 5466 r = hashmap_ensure_allocated(&m->exec_runtime_by_id, &string_hash_ops);
5467 if (r < 0)
5468 return r;
613b411c 5469
56a13a49 5470 r = exec_runtime_allocate(&rt, id);
613b411c
LP		 5471 if (r < 0)
5472 return r;
5473
56a13a49
ZJS		 5474 r = hashmap_put(m->exec_runtime_by_id, rt->id, rt);
5475 if (r < 0)
5476 return r;
e8a565cb 5477
56a13a49
ZJS		 5478 assert(!!rt->tmp_dir == !!rt->var_tmp_dir); /* We require both to be set together */
5479 rt->tmp_dir = TAKE_PTR(*tmp_dir);
5480 rt->var_tmp_dir = TAKE_PTR(*var_tmp_dir);
e8a565cb
YW		 5481
5482 if (netns_storage_socket) {
56a13a49
ZJS		 5483 rt->netns_storage_socket[0] = TAKE_FD(netns_storage_socket[0]);
5484 rt->netns_storage_socket[1] = TAKE_FD(netns_storage_socket[1]);
613b411c
LP		 5485 }
5486
e8a565cb
YW		 5487 rt->manager = m;
5488
5489 if (ret)
5490 *ret = rt;
e8a565cb 5491 /* do not remove created ExecRuntime object when the operation succeeds. */
56a13a49 5492 TAKE_PTR(rt);
e8a565cb
YW		 5493 return 0;
5494}
5495
5496static int exec_runtime_make(Manager *m, const ExecContext *c, const char *id, ExecRuntime **ret) {
56a13a49 5497 _cleanup_(namespace_cleanup_tmpdirp) char *tmp_dir = NULL, *var_tmp_dir = NULL;
2fa3742d 5498 _cleanup_close_pair_ int netns_storage_socket[2] = { -1, -1 };
e8a565cb
YW		 5499 int r;
5500
5501 assert(m);
5502 assert(c);
5503 assert(id);
5504
5505 /* It is not necessary to create ExecRuntime object. */
a8d08f39 5506 if (!c->private_network && !c->private_tmp && !c->network_namespace_path)
e8a565cb
YW		 5507 return 0;
5508
efa2f3a1
TM		 5509 if (c->private_tmp &&
5510 !(prefixed_path_strv_contains(c->inaccessible_paths, "/tmp") &&
5511 (prefixed_path_strv_contains(c->inaccessible_paths, "/var/tmp") ||
5512 prefixed_path_strv_contains(c->inaccessible_paths, "/var")))) {
e8a565cb 5513 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 5514 if (r < 0)
5515 return r;
5516 }
5517
a8d08f39 5518 if (c->private_network || c->network_namespace_path) {
e8a565cb
YW		 5519 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
5520 return -errno;
5521 }
5522
56a13a49 5523 r = exec_runtime_add(m, id, &tmp_dir, &var_tmp_dir, netns_storage_socket, ret);
e8a565cb
YW		 5524 if (r < 0)
5525 return r;
5526
613b411c
LP		 5527 return 1;
5528}
5529
e8a565cb
YW		 5530int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
5531 ExecRuntime *rt;
5532 int r;
613b411c 5533
e8a565cb
YW		 5534 assert(m);
5535 assert(id);
5536 assert(ret);
5537
5538 rt = hashmap_get(m->exec_runtime_by_id, id);
5539 if (rt)
5540 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
5541 goto ref;
5542
5543 if (!create)
5544 return 0;
5545
5546 /* If not found, then create a new object. */
5547 r = exec_runtime_make(m, c, id, &rt);
5548 if (r <= 0)
5549 /* When r == 0, it is not necessary to create ExecRuntime object. */
5550 return r;
613b411c 5551
e8a565cb
YW		 5552ref:
5553 /* increment reference counter. */
5554 rt->n_ref++;
5555 *ret = rt;
5556 return 1;
5557}
613b411c 5558
e8a565cb
YW		 5559ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
5560 if (!rt)
613b411c
LP		 5561 return NULL;
5562
e8a565cb 5563 assert(rt->n_ref > 0);
613b411c 5564
e8a565cb
YW		 5565 rt->n_ref--;
5566 if (rt->n_ref > 0)
f2341e0a
LP		 5567 return NULL;
5568
e8a565cb 5569 return exec_runtime_free(rt, destroy);
613b411c
LP		 5570}
5571
e8a565cb
YW		 5572int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
5573 ExecRuntime *rt;
5574 Iterator i;
5575
5576 assert(m);
613b411c
LP		 5577 assert(f);
5578 assert(fds);
5579
e8a565cb
YW		 5580 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5581 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 5582
e8a565cb
YW		 5583 if (rt->tmp_dir)
5584 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 5585
e8a565cb
YW		 5586 if (rt->var_tmp_dir)
5587 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 5588
e8a565cb
YW		 5589 if (rt->netns_storage_socket[0] >= 0) {
5590 int copy;
613b411c 5591
e8a565cb
YW		 5592 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
5593 if (copy < 0)
5594 return copy;
613b411c 5595
e8a565cb
YW		 5596 fprintf(f, " netns-socket-0=%i", copy);
5597 }
613b411c 5598
e8a565cb
YW		 5599 if (rt->netns_storage_socket[1] >= 0) {
5600 int copy;
613b411c 5601
e8a565cb
YW		 5602 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
5603 if (copy < 0)
5604 return copy;
613b411c 5605
e8a565cb
YW		 5606 fprintf(f, " netns-socket-1=%i", copy);
5607 }
5608
5609 fputc('\n', f);
613b411c
LP		 5610 }
5611
5612 return 0;
5613}
5614
e8a565cb
YW		 5615int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
5616 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
5617 ExecRuntime *rt;
613b411c
LP		 5618 int r;
5619
e8a565cb
YW		 5620 /* This is for the migration from old (v237 or earlier) deserialization text.
5621 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
5622 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
5623 * so or not from the serialized text, then we always creates a new object owned by this. */
5624
5625 assert(u);
613b411c
LP		 5626 assert(key);
5627 assert(value);
5628
e8a565cb
YW		 5629 /* Manager manages ExecRuntime objects by the unit id.
5630 * So, we omit the serialized text when the unit does not have id (yet?)... */
5631 if (isempty(u->id)) {
5632 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
5633 return 0;
5634 }
613b411c 5635
e8a565cb
YW		 5636 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
5637 if (r < 0) {
5638 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
5639 return 0;
5640 }
5641
5642 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
5643 if (!rt) {
56a13a49 5644 r = exec_runtime_allocate(&rt_create, u->id);
613b411c 5645 if (r < 0)
f2341e0a 5646 return log_oom();
613b411c 5647
e8a565cb
YW		 5648 rt = rt_create;
5649 }
5650
5651 if (streq(key, "tmp-dir")) {
5652 char *copy;
5653
613b411c
LP		 5654 copy = strdup(value);
5655 if (!copy)
5656 return log_oom();
5657
e8a565cb 5658 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 5659
5660 } else if (streq(key, "var-tmp-dir")) {
5661 char *copy;
5662
613b411c
LP		 5663 copy = strdup(value);
5664 if (!copy)
5665 return log_oom();
5666
e8a565cb 5667 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 5668
5669 } else if (streq(key, "netns-socket-0")) {
5670 int fd;
5671
e8a565cb 5672 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5673 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5674 return 0;
613b411c 5675 }
e8a565cb
YW		 5676
5677 safe_close(rt->netns_storage_socket[0]);
5678 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
5679
613b411c
LP		 5680 } else if (streq(key, "netns-socket-1")) {
5681 int fd;
5682
e8a565cb 5683 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5684 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5685 return 0;
613b411c 5686 }
e8a565cb
YW		 5687
5688 safe_close(rt->netns_storage_socket[1]);
5689 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 5690 } else
5691 return 0;
5692
e8a565cb
YW		 5693 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
5694 if (rt_create) {
5695 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
5696 if (r < 0) {
3fe91079 5697 log_unit_debug_errno(u, r, "Failed to put runtime parameter to manager's storage: %m");
e8a565cb
YW		 5698 return 0;
5699 }
613b411c 5700
e8a565cb 5701 rt_create->manager = u->manager;
613b411c 5702
e8a565cb 5703 /* Avoid cleanup */
56a13a49 5704 TAKE_PTR(rt_create);
e8a565cb 5705 }
98b47d54 5706
e8a565cb
YW		 5707 return 1;
5708}
613b411c 5709
56a13a49
ZJS		 5710int exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
5711 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
5712 char *id = NULL;
5713 int r, fdpair[] = {-1, -1};
e8a565cb
YW		 5714 const char *p, *v = value;
5715 size_t n;
613b411c 5716
e8a565cb
YW		 5717 assert(m);
5718 assert(value);
5719 assert(fds);
98b47d54 5720
e8a565cb
YW		 5721 n = strcspn(v, " ");
5722 id = strndupa(v, n);
5723 if (v[n] != ' ')
5724 goto finalize;
5725 p = v + n + 1;
5726
5727 v = startswith(p, "tmp-dir=");
5728 if (v) {
5729 n = strcspn(v, " ");
56a13a49
ZJS		 5730 tmp_dir = strndup(v, n);
5731 if (!tmp_dir)
5732 return log_oom();
e8a565cb
YW		 5733 if (v[n] != ' ')
5734 goto finalize;
5735 p = v + n + 1;
5736 }
5737
5738 v = startswith(p, "var-tmp-dir=");
5739 if (v) {
5740 n = strcspn(v, " ");
56a13a49
ZJS		 5741 var_tmp_dir = strndup(v, n);
5742 if (!var_tmp_dir)
5743 return log_oom();
e8a565cb
YW		 5744 if (v[n] != ' ')
5745 goto finalize;
5746 p = v + n + 1;
5747 }
5748
5749 v = startswith(p, "netns-socket-0=");
5750 if (v) {
5751 char *buf;
5752
5753 n = strcspn(v, " ");
5754 buf = strndupa(v, n);
56a13a49
ZJS		 5755 if (safe_atoi(buf, &fdpair[0]) < 0 || !fdset_contains(fds, fdpair[0]))
5756 return log_debug("Unable to process exec-runtime netns fd specification.");
5757 fdpair[0] = fdset_remove(fds, fdpair[0]);
e8a565cb
YW		 5758 if (v[n] != ' ')
5759 goto finalize;
5760 p = v + n + 1;
613b411c
LP		 5761 }
5762
e8a565cb
YW		 5763 v = startswith(p, "netns-socket-1=");
5764 if (v) {
5765 char *buf;
98b47d54 5766
e8a565cb
YW		 5767 n = strcspn(v, " ");
5768 buf = strndupa(v, n);
56a13a49
ZJS		 5769 if (safe_atoi(buf, &fdpair[1]) < 0 || !fdset_contains(fds, fdpair[1]))
5770 return log_debug("Unable to process exec-runtime netns fd specification.");
5771 fdpair[1] = fdset_remove(fds, fdpair[1]);
e8a565cb 5772 }
98b47d54 5773
e8a565cb 5774finalize:
56a13a49 5775 r = exec_runtime_add(m, id, &tmp_dir, &var_tmp_dir, fdpair, NULL);
7d853ca6 5776 if (r < 0)
56a13a49
ZJS		 5777 return log_debug_errno(r, "Failed to add exec-runtime: %m");
5778 return 0;
e8a565cb 5779}
613b411c 5780
e8a565cb
YW		 5781void exec_runtime_vacuum(Manager *m) {
5782 ExecRuntime *rt;
5783 Iterator i;
5784
5785 assert(m);
5786
5787 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
5788
5789 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5790 if (rt->n_ref > 0)
5791 continue;
5792
5793 (void) exec_runtime_free(rt, false);
5794 }
613b411c
LP		 5795}
5796
b9c04eaf
YW		 5797void exec_params_clear(ExecParameters *p) {
5798 if (!p)
5799 return;
5800
c3f8a065
LP		 5801 p->environment = strv_free(p->environment);
5802 p->fd_names = strv_free(p->fd_names);
5803 p->fds = mfree(p->fds);
5804 p->exec_fd = safe_close(p->exec_fd);
b9c04eaf
YW		 5805}
5806
80876c20
LP		 5807static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
5808 [EXEC_INPUT_NULL] = "null",
5809 [EXEC_INPUT_TTY] = "tty",
5810 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 5811 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 5812 [EXEC_INPUT_SOCKET] = "socket",
5813 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 5814 [EXEC_INPUT_DATA] = "data",
2038c3f5 5815 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 5816};
5817
8a0867d6
LP		 5818DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
5819
94f04347 5820static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 5821 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 5822 [EXEC_OUTPUT_NULL] = "null",
80876c20 5823 [EXEC_OUTPUT_TTY] = "tty",
9a6bca7a 5824 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 5825 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 5826 [EXEC_OUTPUT_JOURNAL] = "journal",
5827 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 5828 [EXEC_OUTPUT_SOCKET] = "socket",
5829 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 5830 [EXEC_OUTPUT_FILE] = "file",
566b7d23 5831 [EXEC_OUTPUT_FILE_APPEND] = "append",
94f04347
LP		 5832};
5833
5834DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 5835
5836static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
5837 [EXEC_UTMP_INIT] = "init",
5838 [EXEC_UTMP_LOGIN] = "login",
5839 [EXEC_UTMP_USER] = "user",
5840};
5841
5842DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 5843
5844static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
5845 [EXEC_PRESERVE_NO] = "no",
5846 [EXEC_PRESERVE_YES] = "yes",
5847 [EXEC_PRESERVE_RESTART] = "restart",
5848};
5849
5850DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 5851
6b7b2ed9 5852/* This table maps ExecDirectoryType to the setting it is configured with in the unit */
72fd1768 5853static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 5854 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
5855 [EXEC_DIRECTORY_STATE] = "StateDirectory",
5856 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
5857 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
5858 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
5859};
5860
5861DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445 5862
6b7b2ed9
LP		 5863/* And this table maps ExecDirectoryType too, but to a generic term identifying the type of resource. This
5864 * one is supposed to be generic enough to be used for unit types that don't use ExecContext and per-unit
5865 * directories, specifically .timer units with their timestamp touch file. */
5866static const char* const exec_resource_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5867 [EXEC_DIRECTORY_RUNTIME] = "runtime",
5868 [EXEC_DIRECTORY_STATE] = "state",
5869 [EXEC_DIRECTORY_CACHE] = "cache",
5870 [EXEC_DIRECTORY_LOGS] = "logs",
5871 [EXEC_DIRECTORY_CONFIGURATION] = "configuration",
5872};
5873
5874DEFINE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
5875
5876/* And this table also maps ExecDirectoryType, to the environment variable we pass the selected directory to
5877 * the service payload in. */
fb2042dd
YW		 5878static const char* const exec_directory_env_name_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5879 [EXEC_DIRECTORY_RUNTIME] = "RUNTIME_DIRECTORY",
5880 [EXEC_DIRECTORY_STATE] = "STATE_DIRECTORY",
5881 [EXEC_DIRECTORY_CACHE] = "CACHE_DIRECTORY",
5882 [EXEC_DIRECTORY_LOGS] = "LOGS_DIRECTORY",
5883 [EXEC_DIRECTORY_CONFIGURATION] = "CONFIGURATION_DIRECTORY",
5884};
5885
5886DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(exec_directory_env_name, ExecDirectoryType);
5887
b1edf445
LP		 5888static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
5889 [EXEC_KEYRING_INHERIT] = "inherit",
5890 [EXEC_KEYRING_PRIVATE] = "private",
5891 [EXEC_KEYRING_SHARED] = "shared",
5892};
5893
5894DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.